Snort interfaces not starting after rule update/service restart

adiadasman · Oct 7, 2014, 1:52 PM

Quick rundown of the issue. I had Snort running on WAN and LAN interface very smoothly.
Added 2 new NICs and set them up as PublicWAN and PublicLAN. New interfaces seem to be working perfectly.
I then copied my interface settings from LAN->PublicLAN and WAN->PublicWAN. I can start the interfaces manually and they run fine, seem to do their job.
But, if I restart the Snort service, the pfSense box, or the rules update causing a service reboot the interfaces do not come back up automatically. I can start them manually without any problems.
The only thing listed in the system log is:

SnortStartup[39200]: Snort SOFT RESTART for PublicLAN(59348_em3)…
SnortStartup[38351]: Snort SOFT RESTART for PublicWAN(64611_em2)…

This wouldn't be a big deal, except that I have to remember to restart the interfaces every morning.

Edit:
Forgot to mention, running version Snort 2.9.6.2 pkg v3.1.2 which I believe is the most current.

Supermule · Oct 7, 2014, 2:08 PM

Create a CRON job and have it running at the time you need it :)

bmeeks · Oct 7, 2014, 3:36 PM

@adiadasman:

Quick rundown of the issue. I had Snort running on WAN and LAN interface very smoothly.
Added 2 new NICs and set them up as PublicWAN and PublicLAN. New interfaces seem to be working perfectly.
I then copied my interface settings from LAN->PublicLAN and WAN->PublicWAN. I can start the interfaces manually and they run fine, seem to do their job.
But, if I restart the Snort service, the pfSense box, or the rules update causing a service reboot the interfaces do not come back up automatically. I can start them manually without any problems.
The only thing listed in the system log is:

SnortStartup[39200]: Snort SOFT RESTART for PublicLAN(59348_em3)…
SnortStartup[38351]: Snort SOFT RESTART for PublicWAN(64611_em2)…

This wouldn't be a big deal, except that I have to remember to restart the interfaces every morning.

Edit:
Forgot to mention, running version Snort 2.9.6.2 pkg v3.1.2 which I believe is the most current.

You might have been bitten by the duplicate UUID bug. When you say you "copied the interfaces", did you by chance click the plus (+) icon to the right of the WAN and LAN rows on the INTERFACES tab? If so, then you have duplicate UUIDs and will have issues such as you describe. I have the fix for this coming in the next update of Snort. I've been holding off working on adding another new feature, but that new feature is giving me fits to get working correctly. That's why there has been a delay.

Bill

adiadasman · Oct 7, 2014, 3:39 PM

That is exactly how I duplicated them. I have spent a lot of time fine tuning my rules and such and wanted them copied.
Is there any way to fix it, or do i need to create the interfaces from scratch?

bmeeks · Oct 7, 2014, 3:49 PM

@adiadasman:

That is exactly how I duplicated them. I have spent a lot of time fine tuning my rules and such and wanted them copied.
Is there any way to fix it, or do i need to create the interfaces from scratch?

If you consider yourself proficient in UNIX command line operations (renaming directories and editing an XML file), then send me a PM with your e-mail address and I will send you the instructions for manually fixing it.

Bill

adiadasman · Oct 7, 2014, 9:09 PM

Bill,

The UUID issue does appear to be my problem. Please check your PMs as I have replied back to your original message.

bmeeks · Oct 7, 2014, 9:29 PM

@adiadasman:

Bill,

The UUID issue does appear to be my problem. Please check your PMs as I have replied back to your original message.

Got your PM reply and answered. We can communicate back and forth in PM land.

Bill