Snort 2.9.2.3 pkg v. 2.5.1 service fails overnight, unable to restart



  • I set up the package on 7/27 on PF2.01/Amd64

    When the updates processed (last night I think) things broke.  I removed the package, reinstalled about 3pm EST and it seems to have fixed things.  Just FYI.



  • @Fesoj:

    miles267,

    snort chokes on the missing sdf declaration. For now, https://github.com/bsdperimeter/pfsense-packages/pull/291/files should solve the problem. I haven't looked at the details why the declaration is missing again, but I guess you've enabled only the ET rules (but I could be wrong).

    Fesoj, your code from the github has allowed snort to run on both i386 and amd64 boxes continuously since you originally posted the code. This is with the Sensitive data prepros on with both Snort and ET rules. Checking for updates every six hours, I have not had one error on six different boxes and not all the boxes have the same rules enabled.



  • Is it normal to get errors on certain rulesets?

    
    snort[1441]: FATAL ERROR: /usr/local/etc/snort/snort_13690_em0/rules/snort_exploit.rules(362) Unknown rule option: 'ssl_state'.
    
    

    I get similar for botnet-cnc, policy-other, specific-theats.  Not always same error.



  • I was getting that error on that specific category myself, so you're not alone.  Just disable it for now.



  • mschiek01,

    I could go through the source code and find out under what circumstances the sdf declaration is missing, but if you patch the classification.config file of the ET rules, then the details on how pfSense generates the configuration files for the individual interfaces doesn't matter. With all this patching, the code gets pretty ugly, this is probably the reason why ermal did not patch his sources. My boxes are also running fine without any problems.



  • blundar, onhel,
    does  it matter if you toggle the settings in Snort: Interface Preprocessors and Flow: General Preprocessor Settings: Enable SSL Data?



  • I had it disabled when I was getting those errors.
    Enabling it fixed snort.botnet-cnc

    still getting errors on other once, mostly related to dce_iface

    Searching around these seem to be related to a conf issue so I'll keep digging.

    Thanks!



  • @blundar:

    I set up the package on 7/27 on PF2.01/Amd64

    When the updates processed (last night I think) things broke.  I removed the package, reinstalled about 3pm EST and it seems to have fixed things.  Just FYI.

    This is my exact setup, and I'm still having trouble after a few re-installs.  Fails overnight, restart manually is successful.



  • I must eat my words!  Snort died again last night!

    from logs:

    
    20	snort[32228]: Initializing rule chains...
    Jul 31 12:03:20	snort[32228]: FATAL ERROR: /usr/local/etc/snort/snort_13690_em0/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
    Jul 31 12:03:20	snort[32228]: FATAL ERROR: /usr/local/etc/snort/snort_13690_em0/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
    Jul 31 12:03:20	php: : Snort has restarted with your new set of rules...
    Jul 31 12:03:20	kernel: em0: promiscuous mode disabled
    
    

    Unchecking the "sensitive-data" checkbox for the CC# check, etc. in preprocessors was enough to get snort running again, albeit without some useful checks.



  • @blundar:

    I must eat my words!  Snort died again last night!

    Unchecking the "sensitive-data" checkbox for the CC# check, etc. in preprocessors was enough to get snort running again, albeit without some useful checks.

    This is my exact same issue.  I'm not sure how to find logs for past snort events?



  • Services… System logs.



  • @blundar:

    Services… System logs.

    Unfortunately it only displays the last 50 events, which doesn't take me back to the overnight failure.



  • blundar,

    the sdf problem is known for quite a while and if you search backwards in this thread you'll find a way of handling it.



  • you can change the number of lines using the settings tab.  I have mine set to 500.



  • @blundar:

    you can change the number of lines using the settings tab.  I have mine set to 500.

    Thanks - can't believe I never noticed that.  I'll check it again first thing in the AM.



  • dumb question, is everyone seeing updated rules? Since Sunday, i've had the same hash:

    SNORT.ORG >>>   "7017498f85ec6d0fc34c904c950ed8c1"
    EMERGINGTHREATS.NET >>>   13611f17ed1c94d40c8f0a78566dbb90

    I've been deleting the hash to force a manual update.. The auto update kicks off but nothing is downloaded since there isn't a new hash



  • @Cino:

    dumb question, are is everyone seeing updated rules? Since Sunday, i've had the same hash:

    SNORT.ORG >>>   "7017498f85ec6d0fc34c904c950ed8c1"
    EMERGINGTHREATS.NET >>>   13611f17ed1c94d40c8f0a78566dbb90

    I've been deleting the hash to force a manual update.. The auto update kicks off but nothing is downloaded since there isn't a new hash

    Sunday-Monday was the only day snort did not fail during updates, so it's possible there just weren't any that night.  I can't account for Monday, however.



  • You can check the actual MD5 Hash of "Only Registered Users" here:

    http://www.snort.org/downloads/1778/show_md5

    It is still:
    "7017498f85ec6d0fc34c904c950ed8c1"

    I am also checking that, because I also suspect snort to only update ET rules automatically. Manual updates work so far.

    Greets, Judex



  • auto update finally kicked for snort for me… 2 test boxes fresh installs of pfsense and snort...

    box with using snort and et with sensitive data preprocessor enabled: failed to reload, the usually error everyone is seeing
    box with using snort and et with sensitive data preprocessor disabled: reloaded fine

    IMHO, I feel the sensitive preprocessor option should be removed from snort until a working fix can be applied to the package. or a warning that auto updates should be disabled and and to run updates manually



  • Finally getting back to the original post, I think this is what's causing the issue:

    kernel: pid 31475 (snort), uid 0, was killed: out of swap space

    As a test, I disabled updates.  As expected, snort ran fine until I did a manual update.  The error above was what showed up after running the update.  Restarting snort by hand brought success.

    Is the swap space error helpful?  I do not have a swap partition on my install, as I have significant excess RAM.


Log in to reply