Snort failing to restart after rules update - manual restart works fine
-
Running Snort 3.2.9.1_14 on pfSense 2.3.2. 3-4 times a week when SNORT updates the rules overnight, the two interfaces fail to restart. System logs do not show any attempt to restart the interfaces. When I log in, I can manually start the interfaces with out issue. I don't see any log in the System log that a start was generated on the interface. Only items in System log from last night:
Oct 31 00:05:15 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort VRT rules are up to date…
Oct 31 00:05:18 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules are up to date…
Oct 31 00:05:18 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date…
Oct 31 00:05:18 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Oct 31 00:05:18 check_reload_status Syncing firewall
But when I manually started interface, no issue:
Oct 31 09:48:42 php-fpm 96951 /index.php: Successful login for user 'admin' from: 192.168.1.103
Oct 31 09:49:00 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN …
Oct 31 09:49:17 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN…
Oct 31 09:49:19 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for LAN…
Oct 31 09:49:26 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
Oct 31 09:49:43 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
Oct 31 09:49:45 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN…
Oct 31 09:49:52 php-fpm 9467 /snort/snort_interfaces.php: Starting Snort on LAN(em2) per user request...
Oct 31 09:49:52 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Snort START for LAN(em2)…
Oct 31 09:51:48 kernel em2: promiscuous mode enabledAny idea as to why SNORT is not starting or attempting to start the interface after the update?
-
I am also having this problem. Anyone with any light to shed?
-
is your memory setting set to AC-BNFA-NQ?
-
Currently algorithm is set to AC-BNFA. I tried to run it on ACS, but it basically maxed out the RAM and made the interface very unusable. It's running on a 2.3.2 on a Quad core celeron with 4GB RAM.