SNORT Randomly Exits Signal 4 after update


  • I hate to resurrect the dead, but I have been suffering the Snort Randomly Stops problem, for a couple months.the only thread available is Suricata on ARM, but I am having this exact issue with Snort on Intel. On a Supermicro 5018D-FN8T Xeon D, running 2.4.5-Release-p1.

    Two exit signal 4 and 1 signal 11. I have 3 interfaces with Snort enabled, 2 are set to block traffic and one is not.

    Is there anywhere in particular I can look to solve this?

    Any help would be appreciated!

    Dec 17 13:00:00
    php

    [Snort] Alert tcpdump packet capture file cleanup job removed 1 tcpdump packet capture file(s) from /var/log/snort/snort_igb220604/...
    Dec 17 12:59:05
    php

    [Snort] The Rules update has finished.
    Dec 17 12:59:04
    php

    [Snort] Building new sid-msg.map file for GUEST_LAN...
    Dec 17 12:59:03
    php

    [Snort] Enabling any flowbit-required rules for: GUEST_LAN...
    Dec 17 12:59:03
    php

    [Snort] Enabling any flowbit-required rules for: GUEST_LAN...
    Dec 17 12:59:02
    php

    [Snort] Updating rules configuration for: GUEST_LAN ...
    Dec 17 12:59:02
    php

    [Snort] Building new sid-msg.map file for LAN...
    Dec 17 12:59:01
    php

    [Snort] Enabling any flowbit-required rules for: LAN...
    Dec 17 12:59:00
    php

    [Snort] Enabling any flowbit-required rules for: LAN...
    Dec 17 12:58:59
    php

    [Snort] Updating rules configuration for: LAN ...
    Dec 17 12:58:59
    php

    [Snort] Building new sid-msg.map file for DMZ...
    Dec 17 12:58:58
    php

    [Snort] Enabling any flowbit-required rules for: DMZ...
    Dec 17 12:58:58
    php

    [Snort] Enabling any flowbit-required rules for: DMZ...
    Dec 17 12:58:56
    php

    [Snort] Updating rules configuration for: DMZ ...
    Dec 17 12:58:56
    php

    [Snort] Building new sid-msg.map file for WAN...
    Dec 17 12:58:55
    php

    [Snort] Enabling any flowbit-required rules for: WAN...
    Dec 17 12:58:55
    php

    [Snort] Enabling any flowbit-required rules for: WAN...
    Dec 17 12:58:54
    php

    [Snort] Updating rules configuration for: WAN ...
    Dec 17 12:58:52
    kernel

    igb2: promiscuous mode disabled
    Dec 17 12:58:52
    kernel

    pid 97563 (snort), jid 0, uid 0: exited on signal 11
    Dec 17 12:58:52
    kernel

    ix0: promiscuous mode disabled
    Dec 17 12:58:52
    kernel

    pid 97918 (snort), jid 0, uid 0: exited on signal 4
    Dec 17 12:58:50
    kernel

    igb0: promiscuous mode disabled
    Dec 17 12:58:50
    kernel

    pid 97111 (snort), jid 0, uid 0: exited on signal 4
    Dec 17 12:58:42
    php

    [Snort] Emerging Threats Open rules are up to date...
    Dec 17 12:58:42
    php

    [Snort] Snort AppID Open Text Rules file update downloaded successfully
    Dec 17 12:58:42
    php

    [Snort] There is a new set of Snort AppID Open Text Rules posted. Downloading appid_rules.tar.gz...
    Dec 17 12:58:41
    php

    [Snort] Snort OpenAppID detectors are up to date...
    Dec 17 12:58:41
    php

    [Snort] Snort Subscriber rules file update downloaded successfully
    Dec 17 12:58:00
    php

    [Snort] There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29161.tar.gz...


  • @daboomer

    Hi,

    maybe you want to read this:

    Snort exit with Signal 11

    Snort exit Signal 4

    PS. BTW: Tonight my Snort was exiting too with Signal 4, but is working as expected. As you can see in my signature, its Intel too.

    Regards,
    fireodo


  • @fireodo I am reading those now again... but I just figured something out... It is only when there is an update downloaded from
    Snort OpenAppID Detectors
    My snort was updating every 12 hours, now daily, but the update that causes the issue is the exact same time as theSnort OpenAppID Detectors MD5 Signature date/time