Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort unexpectedly terminates / signal 11 error

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      slim0801
      last edited by

      Hello, It's not a hardware issue, I tested on several pc-s Intel and AMD processors, It seems to be a rule issue, When I put these two rules

      #tcp
      alert tcp !$HOME_NET any -> $HOME_NET ![27000:30000,9987] (flags: S; msg:"Possible TCP DoS"; flow: stateless; threshold: type both, track by_src, count 200, seconds 1; sid:10001;rev:1;)

      #udp
      alert udp !$HOME_NET any -> $HOME_NET ![27000:30000,9987] (msg:"Possible UDP DoS"; flow: stateless; threshold: type both, track by_src, count 300, seconds 1; sid:10002;rev:1;)

      when the alert is triggered snort is exiting on signal 11.

      Those 2 rules were very important to me, can you plese tell me an alternative to them or can you please solve this problem?

      I tried also with gid in rules, but still not working

      With the old snort package in pfsense those 2 rules worked just fine.

      Thank you.

      1 Reply Last reply Reply Quote 0
      • L
        LiamH
        last edited by

        Try adding a classtype to the rule.

        1 Reply Last reply Reply Quote 0
        • S
          slim0801
          last edited by

          Thank you very much, It works when I added "classtype:attempted-dos; priority:1;", I was looking for a solution for this problem for like 2 months and you nailed it :)

          I`m so glad it works, thank you again.

          1 Reply Last reply Reply Quote 0
          • L
            LiamH
            last edited by

            Took me some time to figure it out myself - couldn't find anything on the web. At least now it can be found on the web  ;)
            Is it a bug? I thought that classtype is not mandatory. Actually all goes well until snort try to output to the alert log.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.