Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort[92758]: *** Caught Term-Signal (Snort GPL+VRT rules, OR ETOpen rules only)

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nadrek
      last edited by

      pfSense 2.1.2, amd64, hard drive and 8GB of RAM.
      Snort package 2.9.6.0 pkg 3.0.6

      Barnyard2 is disabled.

      I've been running Snort for awhile with the community Emerging Threats Open ruleset.  A couple days ago I enabled the Snort GPLv2 Community Rules (VRT certified) as well as got an Oinkmaster code for the free registered VRT rules.  Snort worked fine yesterday, I believe - it was certainly blocking 58 IP's.

      Today, it's failing:
      snort[92758]: *** Caught Term-Signal

      then I disabled the snort GPLv2 and VRT rules entirely (Global Settings), and it still fails:
      snort[1099]: *** Caught Term-Signal

      A full log snippet from system logs:
      Apr 24 03:02:47 kernel: em0: promiscuous mode disabled
      Apr 24 03:02:46 snort[1099]: *** Caught Term-Signal
      Apr 24 03:02:45 php: /snort/snort_interfaces.php: [Snort] Snort STOP for Main WAN Snort set(em0)…
      Apr 24 03:02:45 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(Main WAN Snort set)...
      Apr 24 03:02:28 kernel: em0: promiscuous mode enabled
      Apr 24 03:02:16 php: /snort/snort_interfaces.php: [Snort] Snort START for Main WAN Snort set(em0)…
      Apr 24 03:02:15 check_reload_status: Syncing firewall
      Apr 24 03:02:14 check_reload_status: Syncing firewall
      Apr 24 03:02:12 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
      Apr 24 03:02:11 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
      Apr 24 03:02:01 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
      Apr 24 03:02:01 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(Main WAN Snort set)...

      EDITED:
      Now I've re-enabled the GPLv2 and VRT rules, and disabled ETOpen, and it STILL fails?

      Apr 24 03:14:58 kernel: em0: promiscuous mode disabled
      Apr 24 03:14:58 snort[41871]: *** Caught Term-Signal
      Apr 24 03:14:57 php: /snort/snort_interfaces.php: [Snort] Snort STOP for Main WAN Snort set(em0)…
      Apr 24 03:14:57 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(Main WAN Snort set)...
      Apr 24 03:10:40 kernel: em0: promiscuous mode enabled
      Apr 24 03:10:24 php: /snort/snort_interfaces.php: [Snort] Snort START for Main WAN Snort set(em0)…

      Current rules:
      Rule Set Name/Publisher MD5 Signature Hash MD5 Signature Date
      Snort VRT Rules d62142ce88c371ce4299412bd2eb0c41 Thursday, 24-Apr-14 02:41:29 UTC
      Snort GPLv2 Community Rules 49ad8bbc8671ad84854267ea3c0255ae Wednesday, 23-Apr-14 14:41:02 UTC
      Emerging Threats Open Rules b127769d30676580c8ca707fd8f255f8 Thursday, 24-Apr-14 02:41:30 UTC

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Try this.  Go to the GLOBAL SETTINGS tab and be sure the "save settings on deinstall" checkbox is checked.  Then go to System…Packages and remove the Snort package completely.  Return to System…Packages and reinstall Snort.

        If that does not fix it, report back.  Those log entries look a bit funny.  You appear to have Snort starting twice in close succession on the same interface.  The entry at 3:02:01 tagged with "toggle" would be a manual start from the icons on the Snort Interfaces tab.  However, there is then another start signal issued at 3:02:16 for the same interface.

        I see the interfaces say "Main WAN".  Does this mean you have multiple WANs?  If so, are you running Snort on both?

        Bill

        1 Reply Last reply Reply Quote 0
        • N
          Nadrek
          last edited by

          I only have one WAN; it's named "Main WAN" because I have hopes of setting up a secondary WAN connection in the future.

          Snort appeared to be started with all three rulesets - I'd noticed the failure before starting to set up some more VLANs.  Nonetheless, I double-checked the setting (as I do before every "upgrade" using the uninstall/reinstall technique), and then uninstalled and reinstalled.

          It definitely looks OK now, and blocking is fully functional; thank you very much for the very clear advice and for your time.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @Nadrek:

            I only have one WAN; it's named "Main WAN" because I have hopes of setting up a secondary WAN connection in the future.

            Snort appeared to be started with all three rulesets - I'd noticed the failure before starting to set up some more VLANs.  Nonetheless, I double-checked the setting (as I do before every "upgrade" using the uninstall/reinstall technique), and then uninstalled and reinstalled.

            It definitely looks OK now, and blocking is fully functional; thank you very much for the very clear advice and for your time.

            Glad things are fixed for you… :)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.