Snort Service Stops After Each Update
-
So I have Snort IPS on the WAN interface and IDS on the LAN interface (L7 rules only) with rules set to update every 12 hours. I have noticed in the last few days that the LAN interface does not come back up after each update. What should I look at to begin my troubleshooting? Note that this does not happen on the WAN interface. My 6100 MAX’s CPU and memory utilization are very low.
Thanks for any help you can provide, Thank you.
-
Check the pfSense system log to see if any errors are being logged by Snort when starting.
Are the rules exactly the same on both interfaces? I'm thinking not since you say only L7 (which I assume is OpenAppID) rules are on the LAN.
If not the same rules on both, it is very possible that one of the Snort rules on the LAN interface has a problem and is causing the Snort binary to fault and die. Finding which rule is the problem will be a case of trial and error.
There have been issues with specific rules in the past where the rule authors eventually fixed them with later updates.
-
@bmeeks Hey, thanks for responding! As far as the rules go, both interfaces are the exact opposite. On the LAN side, I only have the "Snort OPENAPPID Rules" enabled with no blocking. The WAN side has pretty much all of the other rulesets enabled for IPS. So no common rules between them. I will start looking on the log you suggested. I will probably switch back to Suricata with all of the other discussions you've had on Snort's short lifespan on 2.9, but I really do like seeing the L7 traffic coming out of my UDM-SE. Thanks again.
EDIT: It's strange that the LAN rules in question haven't even been updated since this started happening. Also, it starts right back up when I start it again manually. I will dig though the system log when I get back in town. Thanks.
