pid 27436 (snort), uid 0: exited on signal 11



  • Snort appears to crash randomly on some updates - not all

    I set the snort updates to daily and approx once a week snort automatically updates and during the update it crashes and stops working

    I have turned the automatic updates off and am manually updating it, so if crashes i can manually restart it within minutes of it going down

    Any idea what i need to look for?

    May 22 11:34:08 kernel re0: promiscuous mode enabled
    May 22 11:33:57 SnortStartup 85154 Snort START for WAN(37625_re0)...
    May 22 11:29:20 check_reload_status Syncing firewall
    May 22 11:29:20 php-cgi snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
    May 22 11:29:20 php-cgi snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for WAN...
    May 22 11:29:20 php-cgi snort_check_for_rule_updates.php: [Snort] Checking flowbit rules dependent on disabled preprocessors for: WAN...
    May 22 11:29:19 php-cgi snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN...
    May 22 11:29:17 php-cgi snort_check_for_rule_updates.php: [Snort] Checking for rules dependent on disabled preprocessors for: WAN...
    May 22 11:29:15 php-cgi snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN ...
    May 22 11:28:28 kernel re0: promiscuous mode disabled
    May 22 11:28:28 kernel pid 27436 (snort), uid 0: exited on signal 11
    May 22 11:27:21 php-cgi snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
    May 22 11:27:19 php-cgi snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
    May 22 11:27:18 php-cgi snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
    May 22 11:27:16 php-cgi snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
    May 22 11:27:16 php-cgi snort_check_for_rule_updates.php: [Snort] Snort OpenAppID RULES detectors file update downloaded successfully
    May 22 11:27:16 php-cgi snort_check_for_rule_updates.php: [Snort] There is a new set of Snort OpenAppID RULES detectors posted. Downloading appid_rules.tar.gz...
    May 22 11:27:15 php-cgi snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors are up to date...
    May 22 11:27:15 php-cgi snort_check_for_rule_updates.php: [Snort] Snort Subscriber rules file update downloaded successfully
    May 22 11:25:35 php-cgi snort_check_for_rule_updates.php: [Snort] There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29120.tar.gz...
    May 22 11:24:00 php-fpm /index.php: Successful login for user 'admin' from: 10.0.0.10 (Local Database)



  • Do you have the Service Watchdog package enabled? If so, you must not use it for Snort! That is one cause of this problem.

    Check to see if you perhaps have gotten multiple instances of Snort on the same interface. Run this command from a shell prompt on the firewall:

    ps -ax | grep snort
    

    If Snort is running, you should see only one process per configured interface. If you see two Snort processes with the exact same information and arguments, then you have a zombie running. If this is the case, kill all Snort instances and start Snort on each interface again from the GUI.

    Finally, it's possible some particular rule you have enabled is the source of the crash. A Signal 11 error is basically a segment fault (meaning a process attempted to access memory that was out-of-bounds for that process). I run Snort on my personal home firewall and have no issues with crashes. I don't run the OpenAppID rules, though. And there is no guarantee that even if two people run the same rule categories that they have the exact same rule SIDs enabled. So it's hard to compare apples-to-apples when talking about IDS/IPS setups.


Log in to reply