Snort Keeps Stopping - Logs attached
I've recently acquired a WatchGuard X550e running pfsense 2.3.2. I am new to pfsense and am still learning as I go. Everything thus far has worked great and I installed Snort yesterday, following a guide on this forum on setting it up. I've got a paid sub for the VRT's and have it set up what I thought was well but this little issue keeps occuring.
I've been watching the system log files for the past 24 hours and have noticed snort has stopped working twice which has required me to manually restart it.
The first time it went down the following was present in my logs:
Jan 4 19:18:12 oon.localdomain nginx: 2017/01/04 19:18:12 [error] 23081#100097: send() failed (54: Connection reset by peer) Jan 4 19:17:44 check_reload_status Syncing firewall Jan 4 19:17:15 kernel sk0: promiscuous mode disabled Jan 4 19:17:15 kernel pid 9004 (snort), uid 0: exited on signal 11 Jan 4 19:17:15 check_reload_status Syncing firewall
I then restarted it:
Jan 4 20:42:53 php-fpm 81844 /snort/snort_interfaces.php: [Snort] Snort START for WAN(sk0)... Jan 4 20:42:53 php-fpm 81844 /snort/snort_interfaces.php: Starting Snort on WAN(sk0) per user request... Jan 4 20:42:49 php-fpm 81844 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN... Jan 4 20:42:47 php-fpm 81844 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN... Jan 4 20:42:30 php-fpm 81844 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
The second time it went down (just a little while ago) the following is present:
Jan 5 07:58:45 php-fpm 32579 /snort/snort_alerts.php: The command '/bin/pkill -HUP -F /var/run/snort_sk014792.pid -a' returned exit code '1', the output was '' Jan 5 07:58:23 kernel sk0: promiscuous mode disabled Jan 5 07:58:23 kernel pid 40124 (snort), uid 0: exited on signal 11 Jan 5 07:58:22 check_reload_status Syncing firewall
I do note the Syncing firewall there precluding Snort going down - Syncing firewall is present in the logs numerous times and snort hasn't gone down when that appears.
Could someone help me out here as I am not sure where to go next with addressing this.
It happens to me as well. I just use service watchdog package to keep the service on automated restart in case it stops after the nightly updates.