Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort not restarting after rules update - 2.1.3- 2.9.6.0 pkg v3.0.8

    pfSense Packages
    3
    4
    862
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Craigusoz last edited by

      I find this in the system log:

      Jun 8 00:05:07 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2960.tar.gz…
      Jun 8 00:06:33 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
      Jun 8 00:06:35 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz…
      Jun 8 00:06:37 php: snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
      Jun 8 00:06:38 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
      Jun 8 00:06:42 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
      Jun 8 00:07:01 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
      Jun 8 00:07:03 kernel: pid 11623 (snort), uid 0: exited on signal 11
      Jun 8 00:07:12 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
      Jun 8 00:07:13 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
      Jun 8 00:07:15 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
      Jun 8 00:07:18 check_reload_status: Syncing firewall

      Snort is halted following this until restarted manually.

      Note: I have commented out the restart packages function call in /etc/rc.newwanip, due to this bug, unsure if that is relevant:

      https://redmine.pfsense.org/issues/3669

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        @Craigusoz:

        I find this in the system log:

        Jun 8 00:05:07 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2960.tar.gz…
        Jun 8 00:06:33 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
        Jun 8 00:06:35 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz…
        Jun 8 00:06:37 php: snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
        Jun 8 00:06:38 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
        Jun 8 00:06:42 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
        Jun 8 00:07:01 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
        Jun 8 00:07:03 kernel: pid 11623 (snort), uid 0: exited on signal 11
        Jun 8 00:07:12 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
        Jun 8 00:07:13 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
        Jun 8 00:07:15 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
        Jun 8 00:07:18 check_reload_status: Syncing firewall

        Snort is halted following this until restarted manually.

        Note: I have commented out the restart packages function call in /etc/rc.newwanip, due to this bug, unsure if that is relevant:

        https://redmine.pfsense.org/issues/3669

        I don't know if this is related to that bug or not.  There are one or two other users reporting similar failures to restart after rules updates, but a manual restart works fine.  I personally have not encountered this yet on my LAN firewall which is running 2.1.3 and the same Snort package.  However, it could be related to specific enabled rules.  From the timing of the "exited on signal 11" message, the crash appears to occur during the time the shared object libraries are being unpacked and copied over to the various Snort interface sub-directories.

        Bill

        1 Reply Last reply Reply Quote 0
        • C
          Craigusoz last edited by

          Thanks Bill. I'm wondering if the bug that is causing frequent package restarts is masking a problem with snort. Before I modified /etc/rc.newwanip, I didn't see the issue, because all of the packages were being restarted frequently (which was slowing throughput while it was underway). Could this be why only a few users are seeing the issue ?

          1 Reply Last reply Reply Quote 0
          • BBcan177
            BBcan177 Moderator last edited by

            I have intermittent issues with Snort Interfaces Exiting on Error, usually following a Rules Update.
            When it happens it happens to several boxes at a time.

            But the logs don't show very much information to help diagnose why its failing. I think it would be good to have a "debug" option where more details logs could be used as required to help diagnose issues better.

            All of my boxes are on Static so they don't renew their addresses.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post