Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    After rule update, snort just stopped

    pfSense Packages
    2
    3
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mr. Jingles
      last edited by

      Good evening  ;D

      Snort just stopped after the rules-update  ???

      I have a paid oink-code, and the Emerging Threat rules installed as well. 30 mins ago a rule update ran, and now both WAN and LAN are stopped. I can't get them to start. The error is:

      
snort[46326]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/netbios.so: /usr/local/lib/snort/dynamicrules/netbios.so: invalid file format

      What I've done, each step doing nothing:

      • Disable the netbios rules in ET
      • Disable the whole of ET (global settings)
      • Disable the whole of Snort rules (global settings)
      • Rebooting PFS with everything (thus) disabled
      • Reinstalling snort

      Nothing seems to work, they refuse to start  ???

      Google decided it also doesn't love me today  :-X

      Would anybody know what I can do next?

      Thank you in advance,

      Bye,

      6 and a half billion people know that they are stupid, agressive, lower life forms.

      1 Reply Last reply Reply Quote 0
      • M
        maex
        last edited by

        Usually what fixed situations like these for me: uninstall the snort package (keeping settings - a option in pfsense snort interface)) - then reinstall.
        Wait until it is done!
        In my experience DONE is not necessarily the same as what the web-gui says.  If you use a lot of rules the web-gui tells you the update or install is done. But if you watch top you will realize that processes snort and package_reload (or so) may run very actively for a couple of minutes longer than that. My best practice: don't touch the web-gui while these processes finish the update.

        But I also have to say that I ran into these issues mostly when RAM was low. Never had these problems since I have 8GBs of RAM. Snort uses around 2,3 GB running, and 3-4 GBs while loading.

        If above situation did not work for me - uninstall the snort package but also REMOVE settings - then reinstall and setup your interfaces and rules.

        1 Reply Last reply Reply Quote 0
        • M
          Mr. Jingles
          last edited by

          @maex:

          Usually what fixed situations like these for me: uninstall the snort package (keeping settings - a option in pfsense snort interface)) - then reinstall.
          Wait until it is done!
          In my experience DONE is not necessarily the same as what the web-gui says.  If you use a lot of rules the web-gui tells you the update or install is done. But if you watch top you will realize that processes snort and package_reload (or so) may run very actively for a couple of minutes longer than that. My best practice: don't touch the web-gui while these processes finish the update.

          But I also have to say that I ran into these issues mostly when RAM was low. Never had these problems since I have 8GBs of RAM. Snort uses around 2,3 GB running, and 3-4 GBs while loading.

          If above situation did not work for me - uninstall the snort package but also REMOVE settings - then reinstall and setup your interfaces and rules.

          Thanks for your reply, Maex  ;D

          I think mine was another problem, some sort of error in the official VRT-rules. Since after there was another rule update, Snort suddenly worked again.

          6 and a half billion people know that they are stupid, agressive, lower life forms.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.