snort running to half stop many times a day

bmeeks

@blackkep said in snort running to half stop many times a day:

@bmeeks
Update Your Rule Set that's all
1.23.01-RELEASE (amd64)
2.Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
3.4.1.6_7
4.

If it crashes on a rules update, that would point toward a faulty rule getting downloaded and enabled.

Once it crashes, can you start it up manually using the GUI icons on the INTERFACES tab in Snort?

If not, you may have to start a process of elimination by disabling rule categories one-at-the-time until Snort starts successfully.

JonathanLee

You might have to many rules added.

For me I use this just the recommended IPS and Emerging threats lists. I too had to issues with memory use with more rulesets. Again I only have 4GBs

Screenshot 2023-05-08 at 7.38.13 PM.png

Screenshot 2023-05-08 at 7.38.44 PM.png

Screenshot 2023-05-08 at 7.40.48 PM.png

There was a time when I wanted to run all of them but my memory made me give up the APPid stuff it eats memory

blackkep

@bmeeks @jonathanlee
thank you solved it

Patch

@blackkep said in snort running to half stop many times a day:

thank you solved it

Out of interest what change actually fixed it

blackkep

@patch
There is a rule to turn off snort can be normal

Might have to wait until the next update to enable this rule

fireodo

@blackkep said in snort running to half stop many times a day:

There is a rule to turn off snort can be normal

And wich one? Can you tell us too?

blackkep

@fireodo After you update the rules also ?

emerging-drop.rules

fireodo

@blackkep said in snort running to half stop many times a day:

@fireodo After you update the rules also ?

From time to time Snort exits on rules update (here) with signal 11 but it will continuing running normal.

emerging-drop.rules

Thanks. (not enabled here)

blackkep

@fireodo This bug has been around for a long time

SteveITS

@blackkep If you want an alternative for DROP, you can use pfBlocker and pick DROP from its feed list. Then create a regular firewall block rule via the feed set as Alias Native, or have it create the rule via Deny.

blackkep

@steveits The DROP rule is still running ?

blackkep

@steveits pfblockerng DROP I see the original list

SteveITS

@blackkep said in snort running to half stop many times a day:

@steveits The DROP rule is still running ?

Not sure I understand the question…if you are using pfBlocker you can disable the category in Snort. No need to scan twice.

blackkep

@steveits It is very strange that snort has canceled the DROP rule and is still running

SteveITS

@blackkep Did you restart Snort in that interface to pick up the new settings? Check if multiple Snort processes are running and if so end them or restart your router.

blackkep

@steveits
snort restarted , snort has only one

SteveITS

@blackkep And did you restart your router?

blackkep

@steveits pfsense restart