Snort stays online for a while, then fails to start again…

mediumgrade

Snort info:
2.9.4.1
pkg v. 2.5.5

So, I can get Snort to start for a while, then it will refuse to start. When I look at the logs, I see this:

/usr/local/etc/snort/snort_11942_bge0/preproc_rules/decoder.rules(1) Unknown ClassType: protocol-command-decode

When I look into the /usr/local/etc/snort/snort_11942_bge0/ directory, I see that the classification.config is at 0 bytes. If I copy the version in /usr/local/etc/snort/ to the /usr/local/etc/snort/snort_11942_bge0/ directory, I can get it to start again. However, this file seems to go back to zero eventually and I have to do this all over again. I don't know enough about Snort to have any idea as to why this happens.

Any ideas?

eri--

You need to upgrade there is no other options to fix these issues.
Install latest snort version and these should be fixed.

bmeeks

Ermal is correct.  This was an issue in earlier versions caused by a logic problem in the automatic rules update code.  Under certain situations, the updating of the classification.config and reference.config files would result in empy, zero-length files.  Snort definitely did not like that and would dump on the first alert detection when it tried to read the classification and/or reference information from the files to include with the log message.

The current 2.5.7 version of the Snort Package fixed this issue.

Bill

mediumgrade

So far so good. I'll let you know.

Thanks!