Snort 2.9.4.6 Pkg v 2.5.9
-
Bill,
For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be
Stephen
Thanks! These logs sure do help. I'm thinking VLANs are somehow the culprit. I don't have any defined on my systems, and I do not see the multiple processes. So far, the folks who are seeing multiple processes (too many processes, actually), all seem to have VLANs defined on their Snort interfaces. I'm taking that as a good indicator of where to start looking… ;)
Bill
-
Bill,
For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be
Stephen
Thanks! These logs sure do help. I'm thinking VLANs are somehow the culprit. I don't have any defined on my systems, and I do not see the multiple processes. So far, the folks who are seeing multiple processes (too many processes, actually), all seem to have VLANs defined on their Snort interfaces. I'm taking that as a good indicator of where to start looking… ;)
Bill
Your welcome and thank you for many updates to this fine package.. Only 1 of my sensors is a vlan.. I'm going to disable it and see if that changes anything… If that doesn't, i'll remove the config... Can't remove the vlan interface itself without redoing a lot of work so it will have to stay
-
To resume:
The boot process is interfering with Snort Startup in my opinion or the other way around.
-
rc.newwanip detects an ip change while there isn't one and triggers a restart packages while Snort is starting, which takes a while
-
check_reload_status is also Starting Packages
Sometimes there is the -E argument instead of the -D in the process.
I believe it is still under investigation. And I don't have VLAN's.
My opinion is that Snort is starting up, no PID file until the process is completely started. In the meanwhile another Snort start is invoked by a script and no PID file is detected, so the first process is not stopped and a new Snort process is started.
-
-
Even tho I've disabled a sensor.. I still see a process for it when I reboot my box… The GUI tells me its disabled, but ps -ax shows me its running... I've seen this before when en/disabling rules... I would enable a a few rules then later turn them off to find that they weren't disabled.. Only work around i've found is to remove the package and re-install so it will read the config.xml and generate fresh config files
-
So I bought me a dual gigabit NIC. I now have WAN, LAN and the Guest LAN on three physical NICs as opposed to VLANs. I still have the same problem with multiple snort processes all on the same interface. I am clueless. Please help!
At start up
[2.1-RC2][admin@sense.home]/root(2): ps -ax | grep snort 33426 ?? IWN 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start 34178 ?? DNL 6:45.45 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 62838 ?? IWN 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start 64327 ?? DNL 6:25.72 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 54725 v0- IW 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start 57256 v0- R 6:32.50 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 48672 0 DL+ 0:00.00 grep snort [2.1-RC2][admin@sense.home]/root(3):After executing killing these processes and manually restarting…
[2.1-RC2][admin@sense.home]/root(5): ps -ax | grep snort 715 ?? Ss 0:00.08 /usr/pbi/snort-amd64/bin/snort -R 22796 -D -q -l /var/log/snort/snort_re122796 --pid-path /var/run --nolock-pidfile -G 22796 -c /usr/pbi/snort-amd64/etc/snort/snort_22796_re1/snort.conf -i re1 51274 ?? Ss 0:04.80 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 73396 ?? Ss 0:00.66 /usr/pbi/snort-amd64/bin/snort -R 26667 -D -q -l /var/log/snort/snort_re026667 --pid-path /var/run --nolock-pidfile -G 26667 -c /usr/pbi/snort-amd64/etc/snort/snort_26667_re0/snort.conf -i re0 68790 0 S+ 0:00.00 grep snort [2.1-RC2][admin@sense.home]/root(6): -
So I bought me a dual gigabit NIC. I now have WAN, LAN and the Guest LAN on three physical NICs as opposed to VLANs. I still have the same problem with multiple snort processes all on the same interface. I am clueless. Please help!
At start up
[2.1-RC2][admin@sense.home]/root(2): ps -ax | grep snort 33426 ?? IWN 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start 34178 ?? DNL 6:45.45 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 62838 ?? IWN 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start 64327 ?? DNL 6:25.72 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 54725 v0- IW 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start 57256 v0- R 6:32.50 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 48672 0 DL+ 0:00.00 grep snort [2.1-RC2][admin@sense.home]/root(3):After executing killing these processes and manually restarting…
[2.1-RC2][admin@sense.home]/root(5): ps -ax | grep snort 715 ?? Ss 0:00.08 /usr/pbi/snort-amd64/bin/snort -R 22796 -D -q -l /var/log/snort/snort_re122796 --pid-path /var/run --nolock-pidfile -G 22796 -c /usr/pbi/snort-amd64/etc/snort/snort_22796_re1/snort.conf -i re1 51274 ?? Ss 0:04.80 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 73396 ?? Ss 0:00.66 /usr/pbi/snort-amd64/bin/snort -R 26667 -D -q -l /var/log/snort/snort_re026667 --pid-path /var/run --nolock-pidfile -G 26667 -c /usr/pbi/snort-amd64/etc/snort/snort_26667_re0/snort.conf -i re0 68790 0 S+ 0:00.00 grep snort [2.1-RC2][admin@sense.home]/root(6):I'm still looking into this. Thus far I can't reproduce the problem in my VMware test setup, so it's still a bit of a mystery as to the root cause. I am not throwing in the towel yet, though.
Bill
-
Thanks Bill! How can I help?
-
Attaching a few screenshots of my snort configuration.
-
Hi Bill
I run a bunch of VLANS's and dont have this issue.
Bill,
For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be
Stephen
Thanks! These logs sure do help. I'm thinking VLANs are somehow the culprit. I don't have any defined on my systems, and I do not see the multiple processes. So far, the folks who are seeing multiple processes (too many processes, actually), all seem to have VLANs defined on their Snort interfaces. I'm taking that as a good indicator of where to start looking… ;)
Bill
-
Hi Bill
I run a bunch of VLANS's and dont have this issue.
Thanks for the feedback Brian. This a peculiar bug that does not seem to be easily reproduced. For the folks that have it, they are reporting it is 100% reproducible on their systems. For other systems…??
Bill
-
Thanks Bill! How can I help?
Thanks for the screenshots. I also sent you a PM asking for a little more information if you can share it.
Bill
-
Done! Let me know when you receive it. Also, let me know if I can provide any other information.
-
Done! Let me know when you receive it. Also, let me know if I can provide any other information.
I have it. Thanks. As I mentioned in my reply e-mail, I will be busy until the weekend and can take a look then.
Bill
-
Any luck, Bill?
-
Any luck, Bill?
Not yet. I can't reproduce the problem in my test environment. Does this only happen on a reboot for you, or does it also happen with the auto-rule updates in Snort?
EDIT: Never mind on the question. I looked back and see you provided the answer several posts back. You said it happens usually on restarts after the Snort rule updates.
Bill
-
When I had VLANs going, the repro was 100% at reboot time and every 12 hours (on a successful rule update). Now, that I have moved away from VLANs and spent some money retro fitting my laptop with additional Ethernet ports, the multiple snort processes issue only repros on restart. (I am going to jinx myself for making that claim).
-
When I had VLANs going, the repro was 100% at reboot time and every 12 hours (on a successful rule update). Now, that I have moved away from VLANs and spent some money retro fitting my laptop with additional Ethernet ports, the multiple snort processes issue only repros on restart. (I am going to jinx myself for making that claim).
Thanks for the clarification. I originally thought VLANs were at the root, but some other folks (Supermule, for one) have VLANs and don't have this issue. I will keep digging.
I have also been working this past weekend on getting the new Snort 2.9.5.3 binary going. I have a package built in my test environment that works. I want to get that new binary out by the end of this month and also update the package PHP code to 2.6.0. The new package code fixes a number of small bugs and adds multi-engine configurations for HTTP_INSPECT, Stream5 and Frag3.
Bill
-
Thanks is a poor word for what you have done to Snort and the comuunity Bill!
-
- I don't have any VLAN's set up.
- Running 2.1-RELEASE now
and I have issues with multiple Snort instances running every now and then. Last night there was only one instance of the Snort process, but since last upgrade there's another one running again. It was fine for a while after the upgrade, then I saw a extra instance running -> killall snort -> launch Snort again and it was fine for a few update cycles (maybe no actual update happened?) and now there are two instances running again.
[2.1-RELEASE][admin@pfsense.localdomain]/root(6): ps -ax | grep snort 55531 ?? SNs 0:47.02 /usr/pbi/snort-amd64/bin/snort -R 2226 -D -q -l /var/log/snort/snort_em02226 --pid-path /var/run --nolock-pidfile -G 2226 -c /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/snort.conf -i em0 56242 ?? SNs 0:46.66 /usr/pbi/snort-amd64/bin/snort -R 2226 -D -q -l /var/log/snort/snort_em02226 --pid-path /var/run --nolock-pidfile -G 2226 -c /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/snort.conf -i em0The update log looks a bit odd?
Starting rules update... Time: 2013-09-17 02:15:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-09-17 02:15:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-09-17 02:15:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-09-17 02:15:03 Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-09-17 02:15:03 Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-09-17 02:15:04 Starting rules update... Time: 2013-09-17 14:15:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-09-17 14:15:01 Downloading Snort VRT md5 file... Snort VRT md5 download failed. Server returned error code ''. Server error message was 'Failed to create file /usr/pbi/snort-amd64/etc/snort/tmp/snort_rules_up/snortrules-snapshot-2946.tar.gz.md5' Snort VRT rules will not be updated. Downloading EmergingThreats md5 file... EmergingThreats md5 file download failed. Server returned error code ''. The error text is 'Failed to create file /usr/pbi/snort-amd64/etc/snort/tmp/snort_rules_up/emerging.rules.tar.gz.md5' EmergingThreats rules will not be updated. Starting rules update... Time: 2013-09-17 14:15:01 Downloading Snort VRT md5 file... The Rules update has finished. Time: 2013-09-17 14:15:01 Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-09-17 14:15:21 Done downloading rules file. Downloading EmergingThreats md5 file... EmergingThreats md5 file download failed. Server returned error code ''. The error text is 'Failed to create file /usr/pbi/snort-amd64/etc/snort/tmp/snort_rules_up/emerging.rules.tar.gz.md5' EmergingThreats rules will not be updated. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-09-17 14:15:57I don't have syslog since 15th as syslog seems to have crashed soon after the upgrade to -RELEASE :F
Sep 15 13:23:22 syslogd: exiting on signal 15 -
- I don't have any VIP's set up.
- Running 2.1-RELEASE now
and I have issues with multiple Snort instances running every now and then. Last night there was only one instance of the Snort process, but since last upgrade there's another one running again. It was fine for a while after the upgrade, then I saw a extra instance running -> killall snort -> launch Snort again and it was fine for a few update cycles (maybe no actual update happened?) and now there are two instances running again.
[2.1-RELEASE][admin@pfsense.localdomain]/root(6): ps -ax | grep snort 55531 ?? SNs 0:47.02 /usr/pbi/snort-amd64/bin/snort -R 2226 -D -q -l /var/log/snort/snort_em02226 --pid-path /var/run --nolock-pidfile -G 2226 -c /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/snort.conf -i em0 56242 ?? SNs 0:46.66 /usr/pbi/snort-amd64/bin/snort -R 2226 -D -q -l /var/log/snort/snort_em02226 --pid-path /var/run --nolock-pidfile -G 2226 -c /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/snort.conf -i em0The update log looks a bit odd?
Starting rules update... Time: 2013-09-17 02:15:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-09-17 02:15:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-09-17 02:15:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-09-17 02:15:03 Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-09-17 02:15:03 Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-09-17 02:15:04 Starting rules update... Time: 2013-09-17 14:15:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-09-17 14:15:01 Downloading Snort VRT md5 file... Snort VRT md5 download failed. Server returned error code ''. Server error message was 'Failed to create file /usr/pbi/snort-amd64/etc/snort/tmp/snort_rules_up/snortrules-snapshot-2946.tar.gz.md5' Snort VRT rules will not be updated. Downloading EmergingThreats md5 file... EmergingThreats md5 file download failed. Server returned error code ''. The error text is 'Failed to create file /usr/pbi/snort-amd64/etc/snort/tmp/snort_rules_up/emerging.rules.tar.gz.md5' EmergingThreats rules will not be updated. Starting rules update... Time: 2013-09-17 14:15:01 Downloading Snort VRT md5 file... The Rules update has finished. Time: 2013-09-17 14:15:01 Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-09-17 14:15:21 Done downloading rules file. Downloading EmergingThreats md5 file... EmergingThreats md5 file download failed. Server returned error code ''. The error text is 'Failed to create file /usr/pbi/snort-amd64/etc/snort/tmp/snort_rules_up/emerging.rules.tar.gz.md5' EmergingThreats rules will not be updated. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-09-17 14:15:57I don't have syslog since 15th as syslog seems to have crashed soon after the upgrade to -RELEASE :F
Sep 15 13:23:22 syslogd: exiting on signal 15This is quite strange. The updates are failing (and the log looks weird) I assume because two processes are trying to do the same thing to the same file at the same time. The two processes are colliding during the MD5 file write, for one example.
Do you have any VLANs defined on an interface?
Bill
