Snort[92758]: *** Caught Term-Signal (Snort GPL+VRT rules, OR ETOpen rules only)



  • pfSense 2.1.2, amd64, hard drive and 8GB of RAM.
    Snort package 2.9.6.0 pkg 3.0.6

    Barnyard2 is disabled.

    I've been running Snort for awhile with the community Emerging Threats Open ruleset.  A couple days ago I enabled the Snort GPLv2 Community Rules (VRT certified) as well as got an Oinkmaster code for the free registered VRT rules.  Snort worked fine yesterday, I believe - it was certainly blocking 58 IP's.

    Today, it's failing:
    snort[92758]: *** Caught Term-Signal

    then I disabled the snort GPLv2 and VRT rules entirely (Global Settings), and it still fails:
    snort[1099]: *** Caught Term-Signal

    A full log snippet from system logs:
    Apr 24 03:02:47 kernel: em0: promiscuous mode disabled
    Apr 24 03:02:46 snort[1099]: *** Caught Term-Signal
    Apr 24 03:02:45 php: /snort/snort_interfaces.php: [Snort] Snort STOP for Main WAN Snort set(em0)…
    Apr 24 03:02:45 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(Main WAN Snort set)...
    Apr 24 03:02:28 kernel: em0: promiscuous mode enabled
    Apr 24 03:02:16 php: /snort/snort_interfaces.php: [Snort] Snort START for Main WAN Snort set(em0)…
    Apr 24 03:02:15 check_reload_status: Syncing firewall
    Apr 24 03:02:14 check_reload_status: Syncing firewall
    Apr 24 03:02:12 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 24 03:02:11 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 24 03:02:01 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    Apr 24 03:02:01 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(Main WAN Snort set)...

    EDITED:
    Now I've re-enabled the GPLv2 and VRT rules, and disabled ETOpen, and it STILL fails?

    Apr 24 03:14:58 kernel: em0: promiscuous mode disabled
    Apr 24 03:14:58 snort[41871]: *** Caught Term-Signal
    Apr 24 03:14:57 php: /snort/snort_interfaces.php: [Snort] Snort STOP for Main WAN Snort set(em0)…
    Apr 24 03:14:57 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(Main WAN Snort set)...
    Apr 24 03:10:40 kernel: em0: promiscuous mode enabled
    Apr 24 03:10:24 php: /snort/snort_interfaces.php: [Snort] Snort START for Main WAN Snort set(em0)…

    Current rules:
    Rule Set Name/Publisher MD5 Signature Hash MD5 Signature Date
    Snort VRT Rules d62142ce88c371ce4299412bd2eb0c41 Thursday, 24-Apr-14 02:41:29 UTC
    Snort GPLv2 Community Rules 49ad8bbc8671ad84854267ea3c0255ae Wednesday, 23-Apr-14 14:41:02 UTC
    Emerging Threats Open Rules b127769d30676580c8ca707fd8f255f8 Thursday, 24-Apr-14 02:41:30 UTC



  • Try this.  Go to the GLOBAL SETTINGS tab and be sure the "save settings on deinstall" checkbox is checked.  Then go to System…Packages and remove the Snort package completely.  Return to System…Packages and reinstall Snort.

    If that does not fix it, report back.  Those log entries look a bit funny.  You appear to have Snort starting twice in close succession on the same interface.  The entry at 3:02:01 tagged with "toggle" would be a manual start from the icons on the Snort Interfaces tab.  However, there is then another start signal issued at 3:02:16 for the same interface.

    I see the interfaces say "Main WAN".  Does this mean you have multiple WANs?  If so, are you running Snort on both?

    Bill



  • I only have one WAN; it's named "Main WAN" because I have hopes of setting up a secondary WAN connection in the future.

    Snort appeared to be started with all three rulesets - I'd noticed the failure before starting to set up some more VLANs.  Nonetheless, I double-checked the setting (as I do before every "upgrade" using the uninstall/reinstall technique), and then uninstalled and reinstalled.

    It definitely looks OK now, and blocking is fully functional; thank you very much for the very clear advice and for your time.



  • @Nadrek:

    I only have one WAN; it's named "Main WAN" because I have hopes of setting up a secondary WAN connection in the future.

    Snort appeared to be started with all three rulesets - I'd noticed the failure before starting to set up some more VLANs.  Nonetheless, I double-checked the setting (as I do before every "upgrade" using the uninstall/reinstall technique), and then uninstalled and reinstalled.

    It definitely looks OK now, and blocking is fully functional; thank you very much for the very clear advice and for your time.

    Glad things are fixed for you… :)