Snort 2.9.2.3 pkg v. 2.5.1 Interface Shuts Down



  • Hi all,

    I am wondering if anyone might be able to help me determine why my SNORT interface seems to stop working. I have a feeling its stopping after it downloads new rules. If I start the interface it appears to run just fine. Next day its turned off again. Start it and it works fine again until the next day…

    Thoughts?

    Thanks!



  • Status: System logs: System is your friend. To see more entries you may have to increase the number of entries to a much larger value in Status: System logs: Settings.



  • looked through my syslog messages and don't see anything that appears abnormal. There are some empty alerts from SNORT but otherwise nothing that I see.

    Any thoughts?

    Thanks!



  • Any ideas?

    This didn't used to fail like this. Only started since I updated the package…

    I've tried changing my interface performance mode to see if that helps.

    Used to be on: AC-Sparsebands
    Now: AC

    Though with AC my RAM seems to be almost full; are there any areas in SNORT that I can disable which tend to be high memory sources?

    Thanks



  • There should be a "fatal error" message in the system logs. Starting snort can produce quite a few messages (in addition to the duplicate lines issue), so you have to enlarge the number of lines displayed. You could also login with ssh (or with the terminal) and do s.th. like "clog /var/log/system.log | grep -i fatal".

    Besides this, in case you enabled the sensitive data prepro, try to start without it.



  • Hi ,
    I have the same issue after few hours Snort fails looking into system logs i get following

    Aug 3 19:28:15 snort[9617]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
    Aug 3 19:28:15 snort[9617]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
    Aug 3 19:28:15 kernel: em0: promiscuous mode disabled

    hope that helps identifying the issue

    Thanks



  • I'm having a similar issue.  I've found that disabling automatic updates, and running them by hand every few days/weeks is the best option until the issue is sorted.

    In my case, snort reports "out of swap space" when restarting after an update.  Restarting by hand is always successful.



  • Thanks for your help.

    Snort seems much better after switching to AC.

    Will let you know if there are any further issues.

    Cheers!

    I'm no expert but…

    caustic386 Sounds like your hard drive is full/not big enough SWAP/RAM storage.

    tbaror You may wish to look in this post, though I did not read it fully. http://forum.pfsense.org/index.php?topic=51431.0



  • Never mind; Interface turned off again….

    SNORT service itself remains on and functional.



  • So did see this:

    
    Aug 9 00:06:56 	kernel: pid 115 (snort), uid 0: exited on signal 11
    Aug 9 00:06:56 	snort[115]: [125:2:1] (ftp_telnet) Invalid FTP Command [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} XXX.xxx:17467 -> YYY.yyy:21
    Aug 9 00:06:56 	snort[115]: [125:2:1] (ftp_telnet) Invalid FTP Command [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} XXX.xxx:17467 -> YYY.yyy:21
    Aug 9 00:06:41 	snort[115]:
    Aug 9 00:06:41 	snort[115]:
    Aug 9 00:06:41 	snort[115]: --== Reload Complete ==--
    Aug 9 00:06:41 	snort[115]: --== Reload Complete ==--
    
    

    So to me this looks like right after reloading after new rules are applied.

    Any thoughts would be great!

    Thanks


Locked