Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort turning itself OFF

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 3 Posters 687 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gryest
      last edited by

      Hi
      I noticed Snort turned itself off past few days after rules update. Rules update success but found Snort is stopped???
      Not good at all. I was OK before even if rules update failed, it's never stopped by itself. I ran Snort package update 2 day ago but it still doing that.
      Is anybody have same issue? What might be wrong or changed?
      Thanks.

      PS. i have Snort logs setup on local system (SSD) and checked log size option are limited. Log exceed memory should not be an issue.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @gryest:

        Hi
        I noticed Snort turned itself off past few days after rules update. Rules update success but found Snort is stopped???
        Not good at all. I was OK before even if rules update failed, it's never stopped by itself. I ran Snort package update 2 day ago but it still doing that.
        Is anybody have same issue? What might be wrong or changed?
        Thanks.

        PS. i have Snort logs setup on local system (SSD) and checked log size option are limited. Log exceed memory should not be an issue.

        Have you looked back through your firewall's system log to see what, if any, messages might have been logged by Snort as it restarted from the rules update?  The most likely possibility is a rule syntax error of some sort with one of your enabled rules (or even a newly added rule).  Those happen from time to time as the rules are modified by the authors/vendors.

        Bill

        1 Reply Last reply Reply Quote 0
        • R
          revengineer
          last edited by

          This happened to me yesterday as well. When I checked the interface, snort was stopped. I simply restarted and all is well. These issue happen so rarely and typically fix themselves, so that I am neither worried nor inclined to start a research project over this issue.

          1 Reply Last reply Reply Quote 0
          • G
            gryest
            last edited by

            @bmeeks:

            @gryest:

            Hi
            I noticed Snort turned itself off past few days after rules update. Rules update success but found Snort is stopped???
            Not good at all. I was OK before even if rules update failed, it's never stopped by itself. I ran Snort package update 2 day ago but it still doing that.
            Is anybody have same issue? What might be wrong or changed?
            Thanks.

            PS. i have Snort logs setup on local system (SSD) and checked log size option are limited. Log exceed memory should not be an issue.

            Have you looked back through your firewall's system log to see what, if any, messages might have been logged by Snort as it restarted from the rules update?  The most likely possibility is a rule syntax error of some sort with one of your enabled rules (or even a newly added rule).  Those happen from time to time as the rules are modified by the authors/vendors.

            Bill

            Yes, I did. Rules update happened 00:07. Before that Snort shows some ping IP ("Misc Attacks") Log Alerts. After 00:07 nothing until I restarted snort in the morning. No any records in the system log. I will check logs if it's happen again.
            Thanks.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.