Snort fatal error when upgrading from 3.2.9.14_1 to 4.1.2



  • Hello all,

    I upgraded snort this morning and I received this error on the system log of my SG-1100 :

    FATAL ERROR: Invalid pidfile suffix: _mvneta0.4090. Suffix must less than 11 characters and not have ".." or "/" in the name.
    

    It seems this error appeared 10 years ago when I googled it. Do you have a solution to make snort restart ?

    Thanks.
    Regards



  • I am looking into the resolution for this problem. It's caused by the long physical interface name combined with the VLAN ID. The combination (plus the underscore character) results in a PID filename that exceeds the configured maximum allowed within the Snort binary.

    This code has run for over a year on Snort 4.x in the pfSense-2.5 snapshots branch without this problem ever popping up. I guess all of the users in that branch had shorter interface names and/or shorter VLAN IDs.

    For now, the only option you have is shortening the VLAN ID to 2 characters, but that is likely not realistic for you as that entails lots of other network changes on the SG-3100 and probably in external switches as well.



  • Thanks @bmeeks, I think I will wait for your fix (if you think it will not be too long to fix it) instead of changing VLAN IDs. In fact I left the original configured VLAN ID so I suppose that every people that did the same and installed snort on a SG-1100 has this problem today.



  • Yes, this was an unforeseen error. I thought we were good to migrate the Snort package code from DEVEL to RELEASE since it had run so long over there with no major issues.

    I am working on the fix. The actual fix is easy, but I want to research carefully and make sure the change does not break something else in the PHP GUI code. Give me a day or two to get it sorted out.

    It did not show up in my internal testing because my interface and VLAN ID names in my test virtual machines were not long enough to trigger the error.



  • No problem @bmeeks, and thank you for your work and your reactivity :)



  • @Rod21:
    The fix for this issue has been posted for review and merging by the pfSense developer team. Look for Snort package version 4.1.2_1 to appear shortly.



  • Thanks @bmeeks, the fix is available, I installed it and snort is working fine again.
    Regards



  • I updated my package this morning and did not run into any problems.

    Thanks for the work providing this update.


Log in to reply