Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.1 Interface Shuts Down

    Scheduled Pinned Locked Moved pfSense Packages
    10 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      qwaven
      last edited by

      Hi all,

      I am wondering if anyone might be able to help me determine why my SNORT interface seems to stop working. I have a feeling its stopping after it downloads new rules. If I start the interface it appears to run just fine. Next day its turned off again. Start it and it works fine again until the next day…

      Thoughts?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • F
        Fesoj
        last edited by

        Status: System logs: System is your friend. To see more entries you may have to increase the number of entries to a much larger value in Status: System logs: Settings.

        1 Reply Last reply Reply Quote 0
        • Q
          qwaven
          last edited by

          looked through my syslog messages and don't see anything that appears abnormal. There are some empty alerts from SNORT but otherwise nothing that I see.

          Any thoughts?

          Thanks!

          1 Reply Last reply Reply Quote 0
          • Q
            qwaven
            last edited by

            Any ideas?

            This didn't used to fail like this. Only started since I updated the package…

            I've tried changing my interface performance mode to see if that helps.

            Used to be on: AC-Sparsebands
            Now: AC

            Though with AC my RAM seems to be almost full; are there any areas in SNORT that I can disable which tend to be high memory sources?

            Thanks

            1 Reply Last reply Reply Quote 0
            • F
              Fesoj
              last edited by

              There should be a "fatal error" message in the system logs. Starting snort can produce quite a few messages (in addition to the duplicate lines issue), so you have to enlarge the number of lines displayed. You could also login with ssh (or with the terminal) and do s.th. like "clog /var/log/system.log | grep -i fatal".

              Besides this, in case you enabled the sensitive data prepro, try to start without it.

              1 Reply Last reply Reply Quote 0
              • T
                tbaror
                last edited by

                Hi ,
                I have the same issue after few hours Snort fails looking into system logs i get following

                Aug 3 19:28:15 snort[9617]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
                Aug 3 19:28:15 snort[9617]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
                Aug 3 19:28:15 kernel: em0: promiscuous mode disabled

                hope that helps identifying the issue

                Thanks

                1 Reply Last reply Reply Quote 0
                • C
                  caustic386
                  last edited by

                  I'm having a similar issue.  I've found that disabling automatic updates, and running them by hand every few days/weeks is the best option until the issue is sorted.

                  In my case, snort reports "out of swap space" when restarting after an update.  Restarting by hand is always successful.

                  1 Reply Last reply Reply Quote 0
                  • Q
                    qwaven
                    last edited by

                    Thanks for your help.

                    Snort seems much better after switching to AC.

                    Will let you know if there are any further issues.

                    Cheers!

                    I'm no expert but…

                    caustic386 Sounds like your hard drive is full/not big enough SWAP/RAM storage.

                    tbaror You may wish to look in this post, though I did not read it fully. http://forum.pfsense.org/index.php?topic=51431.0

                    1 Reply Last reply Reply Quote 0
                    • Q
                      qwaven
                      last edited by

                      Never mind; Interface turned off again….

                      SNORT service itself remains on and functional.

                      1 Reply Last reply Reply Quote 0
                      • Q
                        qwaven
                        last edited by

                        So did see this:

                        
                        Aug 9 00:06:56 	kernel: pid 115 (snort), uid 0: exited on signal 11
                        Aug 9 00:06:56 	snort[115]: [125:2:1] (ftp_telnet) Invalid FTP Command [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} XXX.xxx:17467 -> YYY.yyy:21
                        Aug 9 00:06:56 	snort[115]: [125:2:1] (ftp_telnet) Invalid FTP Command [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} XXX.xxx:17467 -> YYY.yyy:21
                        Aug 9 00:06:41 	snort[115]:
                        Aug 9 00:06:41 	snort[115]:
                        Aug 9 00:06:41 	snort[115]: --== Reload Complete ==--
                        Aug 9 00:06:41 	snort[115]: --== Reload Complete ==--
                        
                        

                        So to me this looks like right after reloading after new rules are applied.

                        Any thoughts would be great!

                        Thanks

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.