Snort not restarting after rules update - 2.1.3- 2.9.6.0 pkg v3.0.8

Craigusoz

I find this in the system log:

Jun 8 00:05:07 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2960.tar.gz…
Jun 8 00:06:33 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
Jun 8 00:06:35 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz…
Jun 8 00:06:37 php: snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
Jun 8 00:06:38 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
Jun 8 00:06:42 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
Jun 8 00:07:01 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
Jun 8 00:07:03 kernel: pid 11623 (snort), uid 0: exited on signal 11
Jun 8 00:07:12 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
Jun 8 00:07:13 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
Jun 8 00:07:15 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Jun 8 00:07:18 check_reload_status: Syncing firewall

Snort is halted following this until restarted manually.

Note: I have commented out the restart packages function call in /etc/rc.newwanip, due to this bug, unsure if that is relevant:

https://redmine.pfsense.org/issues/3669

bmeeks

@Craigusoz:

I find this in the system log:

Jun 8 00:05:07 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2960.tar.gz…
Jun 8 00:06:33 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
Jun 8 00:06:35 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz…
Jun 8 00:06:37 php: snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
Jun 8 00:06:38 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
Jun 8 00:06:42 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
Jun 8 00:07:01 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
Jun 8 00:07:03 kernel: pid 11623 (snort), uid 0: exited on signal 11
Jun 8 00:07:12 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
Jun 8 00:07:13 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
Jun 8 00:07:15 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Jun 8 00:07:18 check_reload_status: Syncing firewall

Snort is halted following this until restarted manually.

Note: I have commented out the restart packages function call in /etc/rc.newwanip, due to this bug, unsure if that is relevant:

https://redmine.pfsense.org/issues/3669

I don't know if this is related to that bug or not.  There are one or two other users reporting similar failures to restart after rules updates, but a manual restart works fine.  I personally have not encountered this yet on my LAN firewall which is running 2.1.3 and the same Snort package.  However, it could be related to specific enabled rules.  From the timing of the "exited on signal 11" message, the crash appears to occur during the time the shared object libraries are being unpacked and copied over to the various Snort interface sub-directories.

Bill

Craigusoz

Thanks Bill. I'm wondering if the bug that is causing frequent package restarts is masking a problem with snort. Before I modified /etc/rc.newwanip, I didn't see the issue, because all of the packages were being restarted frequently (which was slowing throughput while it was underway). Could this be why only a few users are seeing the issue ?

BBcan177

I have intermittent issues with Snort Interfaces Exiting on Error, usually following a Rules Update.
When it happens it happens to several boxes at a time.

But the logs don't show very much information to help diagnose why its failing. I think it would be good to have a "debug" option where more details logs could be used as required to help diagnose issues better.

All of my boxes are on Static so they don't renew their addresses.