Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.6.0 pkg v3.0.8 - Restart issue after update

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      I had four of my Snort boxes not restart after the Rule Update process today.

      Here is a snapshot of one of the Boxes System Logs.

      Did anyone else see this behavior?

      May 9 00:25:54 snort[80793]: [1:2402000:3336] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.165.200:13715 -> X.X.X.X:22
      May 9 00:25:54 snort[80793]: [1:2402000:3336] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.165.200:13715 -> X.X.X.X:22
      May 9 00:25:54 snort[80793]: [1:2500080:3230] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41 [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.165.200:13715 -> X.X.X.X:22
      May 9 00:25:54 snort[80793]: [1:2500080:3230] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41 [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.165.200:13715 -> X.X.X.X:22

      (Alerts Logging again)

      May 9 00:24:19 kernel: bge0: promiscuous mode enabled

      (Manual Restart of the LAN Interface)

      May 9 00:23:32 php: /snort/snort_interfaces.php: [Snort] Snort START for Lan(bge0)…
      May 9 00:23:32 check_reload_status: Syncing firewall
      May 9 00:23:31 check_reload_status: Syncing firewall
      May 9 00:23:28 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for LAN…
      May 9 00:23:27 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN…
      May 9 00:23:13 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN …
      May 9 00:23:11 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
      May 9 00:23:10 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
      May 9 00:22:56 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
      May 9 00:22:56 php: /snort/snort_interfaces.php: Toggle (snort starting) for LAN(Lan)...
      May 9 00:22:49 kernel: rl0: promiscuous mode enabled

      (Manual restart of the WAN Interface)

      May 9 00:22:02 php: /snort/snort_interfaces.php: [Snort] Snort START for Snort pfSense(rl0)…
      May 9 00:22:02 check_reload_status: Syncing firewall
      May 9 00:22:01 check_reload_status: Syncing firewall
      May 9 00:21:58 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for LAN…
      May 9 00:21:57 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN…
      May 9 00:21:43 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN …
      May 9 00:21:41 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
      May 9 00:21:40 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
      May 9 00:21:26 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
      May 9 00:21:26 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(Snort pfSense)...

      May 8 20:40:43 check_reload_status: Syncing firewall
      May 8 20:40:43 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
      May 8 20:40:40 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
      May 8 20:40:39 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
      May 8 20:40:25 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
      May 8 20:40:23 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
      May 8 20:40:22 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
      May 8 20:40:08 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
      May 8 20:40:07 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
      May 8 20:40:03 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
      May 8 20:40:02 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules are up to date…

      May 8 14:41:28 check_reload_status: Syncing firewall
      May 8 14:41:27 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
      May 8 14:41:25 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
      May 8 14:41:24 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
      May 8 14:41:10 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
      May 8 14:41:08 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
      May 8 14:41:06 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
      May 8 14:40:53 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …

      (SNORT STOPPED)

      May 8 14:40:51 kernel: bge0: promiscuous mode disabled
      May 8 14:40:51 kernel: pid 14819 (snort), uid 0: exited on signal 11
      May 8 14:40:51 kernel: rl0: promiscuous mode disabled
      May 8 14:40:51 kernel: pid 13736 (snort), uid 0: exited on signal 11
      May 8 14:40:47 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules are up to date…
      May 8 14:40:47 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
      May 8 14:40:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2960.tar.gz…

      (Last Alerts reported)

      May 8 14:31:07 snort[13736]: [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 59.175.148.22:6000 -> X.X.X.X:3306
      May 8 14:31:07 snort[13736]: [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 59.175.148.22:6000 -> X.X.X.X:3306

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by

        I dont see this on all of my 2.0.3 boxes running in VM's.

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          Same Snort version on three boxes I had a comparable issue two days ago on one box (they have different times to update). Resolved after reboot.

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            Since my last post, this has only happened once more on one of my boxes.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              …throughout the last days sometimes not all interfaces come up after the update (one box had that yesterday and today). Trying to restart the respective interface manually results in lengthy procedures (build new sig-msg.map for ALL interfaces, re-start of ALL interfaces) on the embedded system and in the end, another interface might be down...

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.