Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort no long running

    Scheduled Pinned Locked Moved IDS/IPS
    13 Posts 5 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chrischambers
      last edited by

      I have Snort 4.1.3_2 installed on my PFSENSE.

      This morning I discovered that my plugin is no longer running - so I tried to restarted it by everytime I click on the cycle arrow - it try's but don't.

      it has been running fine for the pass few months as I was monitoring a ping attacks and I wanted to make sure I was not being hacked.

      I have tried removing it and re-installation it but this didn't resolve the issue.

      I have tried to find the logs to see what is happening but I can't find them, so can someone please inform me on where they are - or if this is a knowledge issue of the package and there is a know solution

      1 Reply Last reply Reply Quote 0
      • infosamu.itI
        infosamu.it
        last edited by

        I have got the same situation.

        1 Reply Last reply Reply Quote 0
        • infosamu.itI
          infosamu.it
          last edited by

          i've got this error in log:

          FATAL ERROR: /usr/local/etc/snort/snort_17455_em1.5/rules/snort.rules(10922) Unable to process the IP address: [200.122.181.101,200.122.181.78,2001:40e8:0000:f091:0000:0000:0000:0100,2001:41,2001:41c8:0051:0490:feff:00ff:fe00:3214,2001:41d0:0001:777c:0200:c0a8:64b5:0000,2001:41d0:0001:81cf:0000:0000:0000:0001,2001:41d0:0001:8719:0000:0000:0000:0001,2001:41d0:0001:8b3b:0000:0000:0000:0001,2001:41d0:0002:1ecc:0000:0000:0000:0000].

          C 1 Reply Last reply Reply Quote 0
          • P
            palomar72
            last edited by

            Same here!

            1 Reply Last reply Reply Quote 0
            • P
              palomar72
              last edited by

              After removing the "download of Emerging Threats Open rules", and a force update of rules, Snort restated.
              Obviously without the Emerging Threats Open rules.

              1 Reply Last reply Reply Quote 0
              • infosamu.itI
                infosamu.it
                last edited by

                ok problem solved.

                if you remove the line from the file snort.rules the snort starts again.

                1 Reply Last reply Reply Quote 1
                • infosamu.itI
                  infosamu.it
                  last edited by

                  this is the line

                  alert tcp [200.122.181.101,200.122.181.78,2001:40e8:0000:f091:0000:0000:0000:0100,2001:41,2001:41c8:0051:0490:feff:00ff:fe00:3214,2001:41d0:0001:777c:0200:c0a8:64b5:0000,2001:41d0:0001:81cf:0000:0000:0000:0001,2001:41d0:0001:8719:0000:0000:0000:0001,2001:41d0:0001:8b3b:0000:0000:0000:0001,2001:41d0:0002:1ecc:0000:0000:0000:0000] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 377"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522376; rev:4374; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2021_03_19;)

                  1 Reply Last reply Reply Quote 1
                  • C
                    chrischambers @infosamu.it
                    last edited by

                    @infosamu-it said in Snort no long running:

                    i've got this error in log:

                    FATAL ERROR: /usr/local/etc/snort/snort_17455_em1.5/rules/snort.rules(10922) Unable to process the IP address: [200.122.181.101,200.122.181.78,2001:40e8:0000:f091:0000:0000:0000:0100,2001:41,2001:41c8:0051:0490:feff:00ff:fe00:3214,2001:41d0:0001:777c:0200:c0a8:64b5:0000,2001:41d0:0001:81cf:0000:0000:0000:0001,2001:41d0:0001:8719:0000:0000:0000:0001,2001:41d0:0001:8b3b:0000:0000:0000:0001,2001:41d0:0002:1ecc:0000:0000:0000:0000].

                    where is the log files so that I can check this myself ?

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      Rogerboomhouser @chrischambers
                      last edited by

                      @chrischambers

                      From the GUI, status>system logs.

                      C 1 Reply Last reply Reply Quote 1
                      • R
                        Ramosel
                        last edited by

                        It looks like the rule has been fixed.
                        Force an update
                        Start or restart Snort

                        P 1 Reply Last reply Reply Quote 0
                        • P
                          palomar72 @Ramosel
                          last edited by

                          @ramosel Yep! fixed. Thank you.

                          1 Reply Last reply Reply Quote 0
                          • infosamu.itI
                            infosamu.it
                            last edited by

                            yes, it works!

                            1 Reply Last reply Reply Quote 0
                            • C
                              chrischambers @Rogerboomhouser
                              last edited by

                              @rogerboomhouser said in Snort no long running:

                              GUI, status>system

                              thanks, for the info, and now my is working to.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.