Snort stays online for a while, then fails to start again…
-
Snort info:
2.9.4.1
pkg v. 2.5.5So, I can get Snort to start for a while, then it will refuse to start. When I look at the logs, I see this:
/usr/local/etc/snort/snort_11942_bge0/preproc_rules/decoder.rules(1) Unknown ClassType: protocol-command-decodeWhen I look into the /usr/local/etc/snort/snort_11942_bge0/ directory, I see that the classification.config is at 0 bytes. If I copy the version in /usr/local/etc/snort/ to the /usr/local/etc/snort/snort_11942_bge0/ directory, I can get it to start again. However, this file seems to go back to zero eventually and I have to do this all over again. I don't know enough about Snort to have any idea as to why this happens.
Any ideas?
-
You need to upgrade there is no other options to fix these issues.
Install latest snort version and these should be fixed. -
Ermal is correct. This was an issue in earlier versions caused by a logic problem in the automatic rules update code. Under certain situations, the updating of the classification.config and reference.config files would result in empy, zero-length files. Snort definitely did not like that and would dump on the first alert detection when it tried to read the classification and/or reference information from the files to include with the log message.
The current 2.5.7 version of the Snort Package fixed this issue.
Bill
-
So far so good. I'll let you know.
Thanks!
