Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort dying

    IDS/IPS
    3
    5
    1062
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bimmerdriver last edited by

      I'm running pfsense 2.3.4 with snort. Snort periodically dies. I'm not very familiar with it, so I would appreciate suggestions to find out what's causing it to die.

      Here are the rules:

      Snort VRT Rules face1054adccff0db267eb911a056e4c Thursday, 18-May-17 00:07:20 PDT
      Snort GPLv2 Community Rules c3aeed15c958358c3d7fdbc039f3d421 Tuesday, 09-May-17 12:07:03 PDT
      Emerging Threats Open Rules c317cada4fb95353e3742a0be59c3f5e Saturday, 20-May-17 00:05:26 PDT
      Snort OpenAppID Detectors Not Enabled Not Enabled
      Snort OpenAppID RULES Detectors Not Enabled Not Enabled

      Here are the most recent messages in the log. As you can see, it's been stopped for a few days.

      May 18 00:10:00	php		/usr/local/pkg/snort/snort_check_cron_misc.inc: [Snort] Alert pcap file cleanup job removed 1 pcap file(s) from /var/log/snort/snort_hn120641/...
      May 18 00:07:51	check_reload_status		Syncing firewall
      May 18 00:07:50	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
      May 18 00:07:49	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for WAN...
      May 18 00:07:38	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN ...
      May 18 00:07:21	kernel		hn1: promiscuous mode disabled
      May 18 00:07:21	kernel		pid 26541 (snort), uid 0: exited on signal 11
      May 18 00:07:10	snort	26541	[120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3] {TCP} 5.79.11.202:80 -> 162.156.4.171:43486
      May 18 00:06:37	snort	26541	[137:1:2] (spp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 2001:569:74c8:4000:c08f:d541:a3c1:12b8:47624 -> 2a03:2880:f013:1:face:b00c:0:1:443
      May 18 00:06:29	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
      May 18 00:06:09	snort	26541	[120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3] {TCP} 5.79.11.202:80 -> 162.156.4.171:43486
      May 18 00:06:09	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
      May 18 00:06:09	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules are up to date...
      May 18 00:06:08	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
      May 18 00:05:40	snort	26541	[119:2:1] (http_inspect) DOUBLE DECODING ATTACK [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 162.156.4.171:64024 -> 74.120.184.194:80
      

      Here are the messages in the log from when I restarted the service:

      May 22 09:11:58	kernel		hn1: promiscuous mode enabled
      May 22 09:11:41	SnortStartup	74801	Snort START for WAN(20641_hn1)...
      
      1 Reply Last reply Reply Quote 0
      • B
        bimmerdriver last edited by

        Any comments on this?

        1 Reply Last reply Reply Quote 0
        • B
          bimmerdriver last edited by

          So, the snort service stopped again.  Am I the only one this is happening to?

          1 Reply Last reply Reply Quote 0
          • C
            coffeecup25 last edited by

            @bimmerdriver:

            So, the snort service stopped again.  Am I the only one this is happening to?

            https://forum.pfsense.org/index.php?topic=130993.msg723503#msg723503

            No. I also complained. The thread this link is in mentioned a possible third reason it fails to start properly. To me, it looks like a buggy upgrade as it worked great before updating pfSense and snort to the newest versions. Right now, I have snort disabled. I will enable it when I see a new package update for it being made available.

            1 Reply Last reply Reply Quote 0
            • Jailer
              Jailer last edited by

              @coffeecup25:

              @bimmerdriver:

              So, the snort service stopped again.  Am I the only one this is happening to?

              https://forum.pfsense.org/index.php?topic=130993.msg723503#msg723503

              No. I also complained. The thread this link is in mentioned a possible third reason it fails to start properly. To me, it looks like a buggy upgrade as it worked great before updating pfSense and snort to the newest versions. Right now, I have snort disabled. I will enable it when I see a new package update for it being made available.

              Getting the exact behavior here on my APU2C4 since the upgrade.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy