Snort Keeps Stopping - Logs attached



  • Hi there,

    I've recently acquired a WatchGuard X550e running pfsense 2.3.2.  I am new to pfsense and am still learning as I go.  Everything thus far has worked great and I installed Snort yesterday, following a guide on this forum on setting it up.  I've got a paid sub for the VRT's and have it set up what I thought was well but this little issue keeps occuring.

    I've been watching the system log files for the past 24 hours and have noticed snort has stopped working twice which has required me to manually restart it.

    The first time it went down the following was present in my logs:

    Jan 4 19:18:12 	oon.localdomain 		nginx: 2017/01/04 19:18:12 [error] 23081#100097: send() failed (54: Connection reset by peer)
    Jan 4 19:17:44 	check_reload_status 		Syncing firewall
    Jan 4 19:17:15 	kernel 		sk0: promiscuous mode disabled
    Jan 4 19:17:15 	kernel 		pid 9004 (snort), uid 0: exited on signal 11
    Jan 4 19:17:15 	check_reload_status 		Syncing firewall 
    

    I then restarted it:

    Jan 4 20:42:53 	php-fpm 	81844 	/snort/snort_interfaces.php: [Snort] Snort START for WAN(sk0)...
    Jan 4 20:42:53 	php-fpm 	81844 	/snort/snort_interfaces.php: Starting Snort on WAN(sk0) per user request...
    Jan 4 20:42:49 	php-fpm 	81844 	/snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN...
    Jan 4 20:42:47 	php-fpm 	81844 	/snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
    Jan 4 20:42:30 	php-fpm 	81844 	/snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ... 
    

    The second time it went down (just a little while ago) the following is present:

    Jan 5 07:58:45 	php-fpm 	32579 	/snort/snort_alerts.php: The command '/bin/pkill -HUP -F /var/run/snort_sk014792.pid -a' returned exit code '1', the output was ''
    Jan 5 07:58:23 	kernel 		sk0: promiscuous mode disabled
    Jan 5 07:58:23 	kernel 		pid 40124 (snort), uid 0: exited on signal 11
    Jan 5 07:58:22 	check_reload_status 		Syncing firewall 
    

    I do note the Syncing firewall there precluding Snort going down - Syncing firewall is present in the logs numerous times and snort hasn't gone down when that appears.

    Could someone help me out here as I am not sure where to go next with addressing this.

    Thank you!

    Tom



  • It happens to me as well. I just use service watchdog package to keep the service on automated restart in case it stops after the nightly updates.


Log in to reply