Snort 2.9.6.0 pkg v3.0.8 - Restart issue after update

BBcan177

I had four of my Snort boxes not restart after the Rule Update process today.

Here is a snapshot of one of the Boxes System Logs.

Did anyone else see this behavior?

May 9 00:25:54 snort[80793]: [1:2402000:3336] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.165.200:13715 -> X.X.X.X:22
May 9 00:25:54 snort[80793]: [1:2402000:3336] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.165.200:13715 -> X.X.X.X:22
May 9 00:25:54 snort[80793]: [1:2500080:3230] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41 [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.165.200:13715 -> X.X.X.X:22
May 9 00:25:54 snort[80793]: [1:2500080:3230] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41 [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.165.200:13715 -> X.X.X.X:22

(Alerts Logging again)

May 9 00:24:19 kernel: bge0: promiscuous mode enabled

(Manual Restart of the LAN Interface)

May 9 00:23:32 php: /snort/snort_interfaces.php: [Snort] Snort START for Lan(bge0)…
May 9 00:23:32 check_reload_status: Syncing firewall
May 9 00:23:31 check_reload_status: Syncing firewall
May 9 00:23:28 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for LAN…
May 9 00:23:27 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN…
May 9 00:23:13 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN …
May 9 00:23:11 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
May 9 00:23:10 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
May 9 00:22:56 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
May 9 00:22:56 php: /snort/snort_interfaces.php: Toggle (snort starting) for LAN(Lan)...
May 9 00:22:49 kernel: rl0: promiscuous mode enabled

(Manual restart of the WAN Interface)

May 9 00:22:02 php: /snort/snort_interfaces.php: [Snort] Snort START for Snort pfSense(rl0)…
May 9 00:22:02 check_reload_status: Syncing firewall
May 9 00:22:01 check_reload_status: Syncing firewall
May 9 00:21:58 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for LAN…
May 9 00:21:57 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN…
May 9 00:21:43 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN …
May 9 00:21:41 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
May 9 00:21:40 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
May 9 00:21:26 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
May 9 00:21:26 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(Snort pfSense)...

May 8 20:40:43 check_reload_status: Syncing firewall
May 8 20:40:43 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
May 8 20:40:40 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
May 8 20:40:39 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
May 8 20:40:25 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
May 8 20:40:23 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
May 8 20:40:22 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
May 8 20:40:08 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
May 8 20:40:07 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
May 8 20:40:03 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
May 8 20:40:02 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules are up to date…

May 8 14:41:28 check_reload_status: Syncing firewall
May 8 14:41:27 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
May 8 14:41:25 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
May 8 14:41:24 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
May 8 14:41:10 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
May 8 14:41:08 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
May 8 14:41:06 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
May 8 14:40:53 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …

(SNORT STOPPED)

May 8 14:40:51 kernel: bge0: promiscuous mode disabled
May 8 14:40:51 kernel: pid 14819 (snort), uid 0: exited on signal 11
May 8 14:40:51 kernel: rl0: promiscuous mode disabled
May 8 14:40:51 kernel: pid 13736 (snort), uid 0: exited on signal 11
May 8 14:40:47 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules are up to date…
May 8 14:40:47 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
May 8 14:40:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2960.tar.gz…

(Last Alerts reported)

May 8 14:31:07 snort[13736]: [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 59.175.148.22:6000 -> X.X.X.X:3306
May 8 14:31:07 snort[13736]: [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 59.175.148.22:6000 -> X.X.X.X:3306

Supermule

I dont see this on all of my 2.0.3 boxes running in VM's.

Guest

Same Snort version on three boxes I had a comparable issue two days ago on one box (they have different times to update). Resolved after reboot.

BBcan177

Since my last post, this has only happened once more on one of my boxes.

Guest

…throughout the last days sometimes not all interfaces come up after the update (one box had that yesterday and today). Trying to restart the respective interface manually results in lengthy procedures (build new sig-msg.map for ALL interfaces, re-start of ALL interfaces) on the embedded system and in the end, another interface might be down...