Snort dying
-
I'm running pfsense 2.3.4 with snort. Snort periodically dies. I'm not very familiar with it, so I would appreciate suggestions to find out what's causing it to die.
Here are the rules:
Snort VRT Rules face1054adccff0db267eb911a056e4c Thursday, 18-May-17 00:07:20 PDT
Snort GPLv2 Community Rules c3aeed15c958358c3d7fdbc039f3d421 Tuesday, 09-May-17 12:07:03 PDT
Emerging Threats Open Rules c317cada4fb95353e3742a0be59c3f5e Saturday, 20-May-17 00:05:26 PDT
Snort OpenAppID Detectors Not Enabled Not Enabled
Snort OpenAppID RULES Detectors Not Enabled Not EnabledHere are the most recent messages in the log. As you can see, it's been stopped for a few days.
May 18 00:10:00 php /usr/local/pkg/snort/snort_check_cron_misc.inc: [Snort] Alert pcap file cleanup job removed 1 pcap file(s) from /var/log/snort/snort_hn120641/... May 18 00:07:51 check_reload_status Syncing firewall May 18 00:07:50 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished. May 18 00:07:49 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for WAN... May 18 00:07:38 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN ... May 18 00:07:21 kernel hn1: promiscuous mode disabled May 18 00:07:21 kernel pid 26541 (snort), uid 0: exited on signal 11 May 18 00:07:10 snort 26541 [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3] {TCP} 5.79.11.202:80 -> 162.156.4.171:43486 May 18 00:06:37 snort 26541 [137:1:2] (spp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 2001:569:74c8:4000:c08f:d541:a3c1:12b8:47624 -> 2a03:2880:f013:1:face:b00c:0:1:443 May 18 00:06:29 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully May 18 00:06:09 snort 26541 [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3] {TCP} 5.79.11.202:80 -> 162.156.4.171:43486 May 18 00:06:09 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz... May 18 00:06:09 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules are up to date... May 18 00:06:08 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully May 18 00:05:40 snort 26541 [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 162.156.4.171:64024 -> 74.120.184.194:80Here are the messages in the log from when I restarted the service:
May 22 09:11:58 kernel hn1: promiscuous mode enabled May 22 09:11:41 SnortStartup 74801 Snort START for WAN(20641_hn1)... -
Any comments on this?
-
So, the snort service stopped again. Am I the only one this is happening to?
-
So, the snort service stopped again. Am I the only one this is happening to?
https://forum.pfsense.org/index.php?topic=130993.msg723503#msg723503
No. I also complained. The thread this link is in mentioned a possible third reason it fails to start properly. To me, it looks like a buggy upgrade as it worked great before updating pfSense and snort to the newest versions. Right now, I have snort disabled. I will enable it when I see a new package update for it being made available.
-
So, the snort service stopped again. Am I the only one this is happening to?
https://forum.pfsense.org/index.php?topic=130993.msg723503#msg723503
No. I also complained. The thread this link is in mentioned a possible third reason it fails to start properly. To me, it looks like a buggy upgrade as it worked great before updating pfSense and snort to the newest versions. Right now, I have snort disabled. I will enable it when I see a new package update for it being made available.
Getting the exact behavior here on my APU2C4 since the upgrade.
