SNORT Exiting on sig 11



  • I recently installed snort on my pfSense install to try and start learning a bit about it.  I followed the guide in this forum for basic initial setup and added the Snort VRT rules, using the 'connectivity' IPS policy.  However, I wanted to try my hand at writing my own custom rules to understand how snort works.  I added the below to the custom.rules in the pfSense GUI:

    alert tcp any any -> 64.14.253.214 80 (msg: "Web Traffic mtbr.com"; sid: 10001;)
    

    The WAN interface comes up no problem with this rule, but as soon as a try to exercise it by browsing to www.mtbr.com the interface quits (red x next to WAN interface in snort interface list).  I get the following in my system logs:

    Oct 5 15:51:55	kernel: em0: promiscuous mode disabled
    Oct 5 15:51:55	kernel: pid 75200 (snort), uid 0: exited on signal 11
    Oct 5 15:51:37	kernel: em0: promiscuous mode enabled
    Oct 5 15:51:36	php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(em0)...
    Oct 5 15:51:36	php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN...
    Oct 5 15:51:36	php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
    Oct 5 15:51:32	php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
    Oct 5 15:51:32	php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(WAN)...
    

    I've tried a couple different rules with traffic I can easily generate to test, but this is the same result each time.  I assume this must be a formatting issue with my rule or the use of custom rules all together.  Any help would be appreciated.

    pfSense 2.1-release
    snort 2.9.4.6 pgk v. 2.6.0



  • @kodiak80:

    I recently installed snort on my pfSense install to try and start learning a bit about it.  I followed the guide in this forum for basic initial setup and added the Snort VRT rules, using the 'connectivity' IPS policy.  However, I wanted to try my hand at writing my own custom rules to understand how snort works.  I added the below to the custom.rules in the pfSense GUI:

    alert tcp any any -> 64.14.253.214 80 (msg: "Web Traffic mtbr.com"; sid: 10001;)
    

    The WAN interface comes up no problem with this rule, but as soon as a try to exercise it by browsing to www.mtbr.com the interface quits (red x next to WAN interface in snort interface list).  I get the following in my system logs:

    Oct 5 15:51:55	kernel: em0: promiscuous mode disabled
    Oct 5 15:51:55	kernel: pid 75200 (snort), uid 0: exited on signal 11
    Oct 5 15:51:37	kernel: em0: promiscuous mode enabled
    Oct 5 15:51:36	php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(em0)...
    Oct 5 15:51:36	php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN...
    Oct 5 15:51:36	php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
    Oct 5 15:51:32	php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
    Oct 5 15:51:32	php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(WAN)...
    

    I've tried a couple different rules with traffic I can easily generate to test, but this is the same result each time.  I assume this must be a formatting issue with my rule or the use of custom rules all together.  Any help would be appreciated.

    pfSense 2.1-release
    snort 2.9.4.6 pgk v. 2.6.0

    Your custom rule is incomplete.  Snort insists now on having the "classification" parameter defined in all rules.  Look at some of the stock rules to see what I mean.  All of the valid classifications are contained in the classification.config file.

    What's happening to you is that when the rule triggers, the Snort binary attempts to find the correct classification text to print to the logs.  It gets a null string and must try to act on that.  This is the behavior of the Snort binary itself and not something I can fix in the PHP package on pfSense.

    Bill



  • That fixed it!  Thanks, I knew it had to be something trivial.  I set it as 'inappropriate-content' and it works as expected.  Now I just need to learn how to make that rule only generate one alert rather than the 31 it did now that I got it running.  I appreciate your help.



  • Hey everyone,
    i'm quite new to PFSense and Snort and having (i think) the same issue.

    Jan 10 12:40:19 php-fpm[47125]: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(xn0)…
    Jan 10 12:40:19 php-fpm[47125]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    Jan 10 12:40:25 php-fpm[47125]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Jan 10 12:40:26 php-fpm[47125]: /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN…
    Jan 10 12:40:27 php-fpm[47125]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(xn0)…
    Jan 10 12:40:27 snort[74808]: Could not read appName. Line Snort Differs AppKey paltalkfiletransfer -> paltalkfiletran
    Jan 10 12:40:46 kernel: xn0: promiscuous mode enabled
    Jan 10 12:41:03 snort[77663]: [1:2009582:3] ET SCAN NMAP -sS window 1024 [Classification: Attempted Information Leak] [Priority: 2] {TCP} 212.47.xxx.xxx:45767 -> 77.21.xxx.xxx:21320
    Jan 10 12:48:50 kernel: pid 77663 (snort), uid 0: exited on signal 11
    Jan 10 12:48:50 kernel: xn0: promiscuous mode disabled

    Do you have any idea, how to handle that probem?
    Where do i find there classification.config files and how can i edit it?

    As far as i know, i never used an individual classification file, just have enabled (paid) snort VRT rules, emerging threats and openappid detectors.

    Hope that is enough information for a solution! :)

    Thx
    Teddy

    Edit:
    Found the window, where to edit configuration files.
    Failure still resisting, with the same failure-log. After about 5 minutes, snort crashes and service stays stopped, until i manually restart in on the WebGUI. :(

    Solution (looks like at least…):
    Uninstall Snort and delete all the settings.
    New Setup and Configuration by hand, now it looks like working stable.



  • Problem still existing, noone any idea?

    Jan 15 10:59:53 	php-fpm[68023]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
    Jan 15 10:59:59 	php-fpm[68023]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
    Jan 15 10:59:59 	php-fpm[68023]: /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN...
    Jan 15 11:00:01 	php-fpm[68023]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(xn0)...
    Jan 15 11:00:01 	snort[10495]: Could not read appName. Line Snort Differs AppKey paltalkfiletransfer -> paltalkfiletran
    Jan 15 11:00:22 	kernel: xn0: promiscuous mode enabled
    Jan 15 11:06:31 	kernel: pid 28595 (snort), uid 0: exited on signal 11
    Jan 15 11:06:31 	kernel: xn0: promiscuous mode disabled
    

    Snort 2.9.7.6 pkg v3.2.9.1



  • I just installed Snort on a linux box and I got the same error, seems like the first line of appMapping-data of appID is corrupted with the latest version. Wouldnt be the first time an appID update goes wrong. Try disabling openappid and restart snort on that interface…until next version of the preprocessor is release.

    F.

    @Teddy:

    Problem still existing, noone any idea?

    Jan 15 10:59:53 	php-fpm[68023]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
    Jan 15 10:59:59 	php-fpm[68023]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
    Jan 15 10:59:59 	php-fpm[68023]: /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN...
    Jan 15 11:00:01 	php-fpm[68023]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(xn0)...
    Jan 15 11:00:01 	snort[10495]: Could not read appName. Line Snort Differs AppKey paltalkfiletransfer -> paltalkfiletran
    Jan 15 11:00:22 	kernel: xn0: promiscuous mode enabled
    Jan 15 11:06:31 	kernel: pid 28595 (snort), uid 0: exited on signal 11
    Jan 15 11:06:31 	kernel: xn0: promiscuous mode disabled
    

    Snort 2.9.7.6 pkg v3.2.9.1



  • @fsansfil:

    I just installed Snort on a linux box and I got the same error, seems like the first line of appMapping-data of appID is corrupted with the latest version. Wouldnt be the first time an appID update goes wrong. Try disabling openappid and restart snort on that interface…until next version of the preprocessor is release.

    Well, great that i'm not alone with this fault.
    I now already could find out:

    Manual update of Snort (including OpenAppID) works fine and snort is running.
    On automatic update, openAppID sometimes failes to update and then it crashes again and again and again.



  • @fsansfil:

    I just installed Snort on a linux box and I got the same error, seems like the first line of appMapping-data of appID is corrupted with the latest version. Wouldnt be the first time an appID update goes wrong. Try disabling openappid and restart snort on that interface…until next version of the preprocessor is release.

    F.

    A crash on Linux as well definitely indicates a problem within the openappid files themselves.  Anything showing up on the Snort mailing list? Ashamedly, I must confess to not being subscribed to the list at the moment… :-[.

    Bill



  • Well on linux, Snort will still load even with the error, and deleting the first line of appMapping.data removes the error…

    Its clearly Snort ends the problem, just downloaded snort-openappid.tar.gz today from https://www.snort.org/downloads and first line still bogus.

    F.



  • Problem again came up.

    Snort is exiting every few minutes on the same fault message.

    Jan 31 12:25:45 	SnortStartup[32739]: Snort START for WAN(7152_xn0)...
    Jan 31 12:25:45 	snort[33000]: Could not read appName. Line Snort Differs AppKey paltalkfiletransfer -> paltalkfiletran
    Jan 31 12:25:57 	kernel: xn0: promiscuous mode enabled
    Jan 31 12:29:23 	kernel: pid 43186 (snort), uid 0: exited on signal 11
    Jan 31 12:29:23 	kernel: xn0: promiscuous mode disabled
    

    I'm so fed up, worked for a few days without any problem and now the same sh… again.  :-X