Snort not Restarting after update


  • Moderator

    Does anyone else have issues with Snort not restarting after the Rule update process?

    ps aux shows no running or crashed processes.

    An email notification process would be nice to have?

    Router "A"

    Apr 1 20:01:31 kernel: pid 8509 (snort), uid 0: exited on signal 11
    Apr 1 20:01:30 kernel: pid 8263 (snort), uid 0: exited on signal 11

    Apr 1 20:01:29 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
    Apr 1 20:01:24 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
    Apr 1 20:01:24 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
    Apr 1 20:01:12 check_reload_status: Reloading filter
    Apr 1 20:01:12 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Apr 1 20:01:12 check_reload_status: Restarting ipsec tunnels
    Apr 1 20:01:12 check_reload_status: updating dyndns WANGW
    Apr 1 20:00:18 check_reload_status: Reloading filter
    Apr 1 20:00:18 check_reload_status: Syncing firewall
    Apr 1 20:00:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…

    Router "B"

    Apr 1 14:51:48 kernel: MCA: CPU 0 COR ICACHE LG IRD error
    Apr 1 14:51:48 kernel: MCA: Vendor "GenuineIntel", ID 0xf43, APIC ID 0
    Apr 1 14:51:48 kernel: MCA: Global Cap 0x0000000000180204, Status 0x0000000000000000
    Apr 1 14:51:48 kernel: MCA: Bank 2, Status 0x9000000000000153
    Apr 1 14:51:48 kernel: MCA: Misc 0x14000298002a0
    Apr 1 14:51:48 kernel: MCA: Address 0xae6d80
    Apr 1 14:51:48 kernel: MCA: CPU 0 COR OVER GCACHE L1 SNOOP error
    Apr 1 14:51:48 kernel: MCA: Vendor "GenuineIntel", ID 0xf43, APIC ID 0
    Apr 1 14:51:48 kernel: MCA: Global Cap 0x0000000000180204, Status 0x0000000000000000
    Apr 1 14:51:48 kernel: MCA: Bank 0, Status 0xcc00000120040189
    Apr 1 14:41:24 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
    Apr 1 14:41:22 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
    Apr 1 14:41:21 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
    Apr 1 14:41:09 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
    Apr 1 14:41:08 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 1 14:41:07 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 1 14:40:55 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
    Apr 1 14:40:55 kernel: bge0: promiscuous mode disabled
    Apr 1 14:40:55 kernel: pid 87199 (snort), uid 0: exited on signal 11
    Apr 1 14:40:55 kernel: rl0: promiscuous mode disabled
    Apr 1 14:40:55 kernel: pid 57983 (snort), uid 0: exited on signal 11

    Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Expected File MD5: e78dad26533484b210a6994ecdccfd70
    Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Downloaded File MD5: 5ec97993d2795f31dd481fd556a99ebc
    Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file download failed. Bad MD5 checksum
    Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
    Apr 1 14:40:46 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
    Apr 1 14:40:46 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
    Apr 1 14:40:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…

    Router "C"

    Apr 1 15:03:00 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
    Apr 1 15:02:58 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
    Apr 1 15:02:57 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
    Apr 1 15:02:52 php: rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Apr 1 15:02:48 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
    Apr 1 15:02:47 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 1 15:02:46 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 1 15:02:39 php: rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Apr 1 15:02:34 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
    Apr 1 15:02:30 kernel: bge1: promiscuous mode disabled
    Apr 1 15:02:30 kernel: pid 81441 (snort), uid 0: exited on signal 10
    Apr 1 15:02:30 kernel: pid 64065 (snort), uid 0: exited on signal 10

    Apr 1 15:02:22 check_reload_status: Reloading filter
    Apr 1 15:02:22 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Apr 1 15:02:22 check_reload_status: Restarting ipsec tunnels
    Apr 1 15:02:22 check_reload_status: updating dyndns WAN_PPPOE
    Apr 1 15:02:15 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date…
    Apr 1 15:02:14 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
    Apr 1 15:01:32 check_reload_status: Reloading filter
    Apr 1 15:01:32 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Apr 1 15:01:32 check_reload_status: Restarting ipsec tunnels
    Apr 1 15:01:32 check_reload_status: updating dyndns WAN_PPPOE
    Apr 1 15:01:21 check_reload_status: Reloading filter
    Apr 1 15:01:21 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Apr 1 15:01:21 check_reload_status: Restarting ipsec tunnels
    Apr 1 15:01:21 check_reload_status: updating dyndns WAN_PPPOE
    Apr 1 15:00:26 check_reload_status: Reloading filter
    Apr 1 15:00:26 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Apr 1 15:00:26 check_reload_status: Restarting ipsec tunnels
    Apr 1 15:00:26 check_reload_status: updating dyndns WAN_PPPOE
    Apr 1 15:00:22 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…



  • @BBcan17:

    Does anyone else have issues with Snort not restarting after the Rule update process?

    ps aux shows no running or crashed processes.

    An email notification process would be nice to have?

    Router "A"

    Apr 1 20:01:31 kernel: pid 8509 (snort), uid 0: exited on signal 11
    Apr 1 20:01:30 kernel: pid 8263 (snort), uid 0: exited on signal 11

    Apr 1 20:01:29 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
    Apr 1 20:01:24 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
    Apr 1 20:01:24 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
    Apr 1 20:01:12 check_reload_status: Reloading filter
    Apr 1 20:01:12 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Apr 1 20:01:12 check_reload_status: Restarting ipsec tunnels
    Apr 1 20:01:12 check_reload_status: updating dyndns WANGW
    Apr 1 20:00:18 check_reload_status: Reloading filter
    Apr 1 20:00:18 check_reload_status: Syncing firewall
    Apr 1 20:00:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…

    Router "B"

    Apr 1 14:51:48 kernel: MCA: CPU 0 COR ICACHE LG IRD error
    Apr 1 14:51:48 kernel: MCA: Vendor "GenuineIntel", ID 0xf43, APIC ID 0
    Apr 1 14:51:48 kernel: MCA: Global Cap 0x0000000000180204, Status 0x0000000000000000
    Apr 1 14:51:48 kernel: MCA: Bank 2, Status 0x9000000000000153
    Apr 1 14:51:48 kernel: MCA: Misc 0x14000298002a0
    Apr 1 14:51:48 kernel: MCA: Address 0xae6d80
    Apr 1 14:51:48 kernel: MCA: CPU 0 COR OVER GCACHE L1 SNOOP error
    Apr 1 14:51:48 kernel: MCA: Vendor "GenuineIntel", ID 0xf43, APIC ID 0
    Apr 1 14:51:48 kernel: MCA: Global Cap 0x0000000000180204, Status 0x0000000000000000
    Apr 1 14:51:48 kernel: MCA: Bank 0, Status 0xcc00000120040189
    Apr 1 14:41:24 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
    Apr 1 14:41:22 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
    Apr 1 14:41:21 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
    Apr 1 14:41:09 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
    Apr 1 14:41:08 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 1 14:41:07 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 1 14:40:55 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
    Apr 1 14:40:55 kernel: bge0: promiscuous mode disabled
    Apr 1 14:40:55 kernel: pid 87199 (snort), uid 0: exited on signal 11
    Apr 1 14:40:55 kernel: rl0: promiscuous mode disabled
    Apr 1 14:40:55 kernel: pid 57983 (snort), uid 0: exited on signal 11

    Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Expected File MD5: e78dad26533484b210a6994ecdccfd70
    Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Downloaded File MD5: 5ec97993d2795f31dd481fd556a99ebc
    Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file download failed. Bad MD5 checksum
    Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
    Apr 1 14:40:46 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
    Apr 1 14:40:46 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
    Apr 1 14:40:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…

    Router "C"

    Apr 1 15:03:00 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
    Apr 1 15:02:58 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
    Apr 1 15:02:57 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
    Apr 1 15:02:52 php: rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Apr 1 15:02:48 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
    Apr 1 15:02:47 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 1 15:02:46 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 1 15:02:39 php: rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Apr 1 15:02:34 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
    Apr 1 15:02:30 kernel: bge1: promiscuous mode disabled
    Apr 1 15:02:30 kernel: pid 81441 (snort), uid 0: exited on signal 10
    Apr 1 15:02:30 kernel: pid 64065 (snort), uid 0: exited on signal 10

    Apr 1 15:02:22 check_reload_status: Reloading filter
    Apr 1 15:02:22 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Apr 1 15:02:22 check_reload_status: Restarting ipsec tunnels
    Apr 1 15:02:22 check_reload_status: updating dyndns WAN_PPPOE
    Apr 1 15:02:15 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date…
    Apr 1 15:02:14 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
    Apr 1 15:01:32 check_reload_status: Reloading filter
    Apr 1 15:01:32 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Apr 1 15:01:32 check_reload_status: Restarting ipsec tunnels
    Apr 1 15:01:32 check_reload_status: updating dyndns WAN_PPPOE
    Apr 1 15:01:21 check_reload_status: Reloading filter
    Apr 1 15:01:21 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Apr 1 15:01:21 check_reload_status: Restarting ipsec tunnels
    Apr 1 15:01:21 check_reload_status: updating dyndns WAN_PPPOE
    Apr 1 15:00:26 check_reload_status: Reloading filter
    Apr 1 15:00:26 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Apr 1 15:00:26 check_reload_status: Restarting ipsec tunnels
    Apr 1 15:00:26 check_reload_status: updating dyndns WAN_PPPOE
    Apr 1 15:00:22 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…

    I have not seen a problem with my home firewall, but then I probably am not running as many rules (especially ET rules) as you may be.  My first guess would be a problem with a new or updated rule that got downloaded.  I did see what could be a similar issue a day or so back when testing the new Snort update in my virtual machine army.  I did not investigate it any further, and the next time it did not happen.

    As for an e-mail when Snort fails to restart after an update, I may be able to get something in place.  I will put that on my TODO list of features.

    Bill


  • Moderator

    Thanks Bill,

    Are there any other logs that I could look at to see where the issue could be? One of those routers is using the Open ET ruleset ("C") so its most likely not a recent rule, as the open ruleset is 30 days behind.



  • @BBcan17:

    Thanks Bill,

    Are there any other logs that I could look at to see where the issue could be? One of those routers is using the Open ET ruleset ("C") so its most likely not a recent rule, as the open ruleset is 30 days behind.

    Snort logs everything it logs to the system log, so if nothing is there to give a hint, you are out of luck.  Snort is not as "helpful" with logging as Suricata.  All of that is under control of the binary, so nothing can be done from the GUI package side.

    As for those rules, my understanding is the 30-day timer is actually per rule.  So some "rule X" in the set may hit 30-days old today and wind up in the ET Open collection while other rules may not.  At least that's how I believe it works on the Snort subscriber versus registered-user rules.

    Bill


Log in to reply