Snort stops after rules update



  • Hello,

    Was wondering if someone can help, snort seems to stop after the rules update and doesn't restart itself.

    In the log I see this

    Jun 6 00:05:05	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29111.tar.gz...
    Jun 6 00:05:27	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort Subscriber rules file update downloaded successfully
    Jun 6 00:05:28	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors are up to date...
    Jun 6 00:05:29	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Snort OpenAppID RULES detectors posted. Downloading appid_rules.tar.gz...
    Jun 6 00:05:29	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort OpenAppID RULES detectors file update downloaded successfully
    Jun 6 00:05:30	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
    Jun 6 00:05:31	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
    Jun 6 00:05:37	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
    Jun 6 00:06:43	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
    Jun 6 00:06:53	kernel		pid 94232 (snort), uid 0: exited on signal 11
    Jun 6 00:06:58	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.
    Jun 6 00:06:58	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Removed 51 obsoleted rules category files.
    Jun 6 00:06:58	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN ...
    Jun 6 00:07:12	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Checking for rules dependent on disabled preprocessors for: WAN...
    Jun 6 00:07:23	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN...
    Jun 6 00:07:23	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Checking flowbit rules dependent on disabled preprocessors for: WAN...
    Jun 6 00:07:24	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for WAN...
    Jun 6 00:07:25	php		/usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
    

    Have plenty of ram 8Gb in the box, changed the pattern match to AC-BNFA-NQ as a couple of people on here said that resolves it but get the same every night.

    Thanks
    Steve



  • This happened to me, and I tried:

    1. DID NOT WORK: Forcing updates to get new MD5 hashes. Some updates had failed, and this made the "Result" Success again. However, the non-starting symptom continued.

    2. WORKED: Change the time of the day when updates occur. This did the trick for me, and I haven't had any problems since. Not sure exactly what the problem was, but the non-starts were occurring on only one of the scheduled update times. It was 0:05 and 12:05, changed to 8:45 once a day and have had no problems for two weeks now.

    I'm changing it back to two updates a day, but keeping 8:45. Hope it works.


Log in to reply