Snort error: Could not create configuration reload thread

Slab

Hi folks,

I discovered yesterday that snort wasn't running on my pfsense (2.1.4 i386) box. The log gives the error "Could not create configuration reload thread.". Try as I might, I can't seem to get past this error. I've attempted to restart snort (after verifying from the shell that there indeed was no snort process running) I've updated the rules, and finally uninstalled and re-installed (which installed the latest version of Snort (2.9.7.0 pkg v3.2.1) …I was one or two releases behind previously).

I've rarely encountered a scenario where a complete uninstall/reinstall didn't fix whatever issue I may have had with snort in the past ...but that's where I'm at now. Any ideas? Thanks very much!

Supermule

Can you save your config and upgrade to the 2.1.5 64bit version and try again?

bmeeks

@Slab:

Hi folks,

I discovered yesterday that snort wasn't running on my pfsense (2.1.4 i386) box. The log gives the error "Could not create configuration reload thread.". Try as I might, I can't seem to get past this error. I've attempted to restart snort (after verifying from the shell that there indeed was no snort process running) I've updated the rules, and finally uninstalled and re-installed (which installed the latest version of Snort (2.9.7.0 pkg v3.2.1) …I was one or two releases behind previously).

I've rarely encountered a scenario where a complete uninstall/reinstall didn't fix whatever issue I may have had with snort in the past ...but that's where I'm at now. Any ideas? Thanks very much!

I have never seen that error before.  That would be indicative of a memory exhaustion situation perhaps ???  Is that error in the log prefixed with a Snort PID?  Could you perhaps post that section of your system log so I can see that line and a few lines before and after?

Bill

Slab

@bmeeks:

I have never seen that error before.  That would be indicative of a memory exhaustion situation perhaps ???  Is that error in the log prefixed with a Snort PID?  Could you perhaps post that section of your system log so I can see that line and a few lines before and after?

Bill

Hi Bill,

I've rebooted the pfsense box a couple of times …pretty sure there isn't a memory issue (4 gigs mem ...only packages installed are snort and pfblocker). I've made no changes for several months (when I updated to 2.1.4), haven't had any problems until now.

There is a pid in the log...

Dec 25 15:07:32 	SnortStartup[46330]: Snort START for Internet(23958_em2)...
Dec 25 15:08:02 	snort[78683]: Could not create configuration reload thread.

…so it appears to briefly start (indeed, when I start snort from the dashboard and the subsequent "Status: Services" page comes up, it shows snort running but it terminates by the time I get to the system log.

The only dynamic changes occurring on this box are the nightly rules updates ...not sure if something there is the culprit.

Appreciate you help (and all your work on snort ...happy holidays!).

bmeeks

@Slab:

Hi Bill,

I've rebooted the pfsense box a couple of times …pretty sure there isn't a memory issue (4 gigs mem ...only packages installed are snort and pfblocker). I've made no changes for several months (when I updated to 2.1.4), haven't had any problems until now.

There is a pid in the log...

Dec 25 15:07:32 	SnortStartup[46330]: Snort START for Internet(23958_em2)...
Dec 25 15:08:02 	snort[78683]: Could not create configuration reload thread.

…so it appears to briefly start (indeed, when I start snort from the dashboard and the subsequent "Status: Services" page comes up, it shows snort running but it terminates by the time I get to the system log.

The only dynamic changes occurring on this box are the nightly rules updates ...not sure if something there is the culprit.

Appreciate you help (and all your work on snort ...happy holidays!).

Perhaps the configuration itself has become corrupted.  The error message indicates Snort is attempting to load (or reload) the configuration information.

Try this from the command line:

cd /usr/pbi/snort-amd64/etc/snort/snort_23958_em2
snort -T -c ./snort.conf

See if it correctly parses the snort.conf file for the interface.

Bill

Slab

@bmeeks:

Perhaps the configuration itself has become corrupted.  The error message indicates Snort is attempting to load (or reload) the configuration information.

Try this from the command line:

cd /usr/pbi/snort-amd64/etc/snort/snort_23958_em2
snort -T -c ./snort.conf

See if it correctly parses the snort.conf file for the interface.

Hi Bill,

It appears to successfully parse the configuration file:

Snort successfully validated the configuration!
Snort exiting

There was one "threshold deprecated" warning that I saw, but it appears the config is fine.

bmeeks

@Slab:

Hi Bill,

It appears to successfully parse the configuration file:

Snort successfully validated the configuration!
Snort exiting

There was one "threshold deprecated" warning that I saw, but it appears the config is fine.

Hmm…I'm puzzled now.  I was sort of hoping for an error in the config.  Let me research the error message a bit in the Snort binary source code to see if that gives me any hints.  A quick Google search just now turned up not very much.

Bill

johanstrand

Hi!

I the same problem appeard on my box (pfSense 2.1.5, Intel Atom with 2GB RAM) late December. No config changes, just normal auto update of snort-rules.

Today I tried to resinstall using the new package (2.9.7.0) but the problem persist. It even broke all the UI-Components…

I then removed snort and reinstalled it. That worked but the reload error was still there.
I had a lot of rules active so I tried using one of the predefined rule sets (connectivity). Success! It now load the rules without error.
I also tried the predefined setting "security", and that also worked.

Using the "security" rule preset, snort grabs 1.2GB RAM. With my old ruleset it took all available RAM and then som of the swap toal about 2.2GB. I don't think using swap should cause snort to fail. There may be som rule I had activated before that is not part of the predefined set, and causes this error.

Best regards,

Johan

bmeeks

@johanstrand:

Hi!

I the same problem appeard on my box (pfSense 2.1.5, Intel Atom with 2GB RAM) late December. No config changes, just normal auto update of snort-rules.

Today I tried to resinstall using the new package (2.9.7.0) but the problem persist. It even broke all the UI-Components…

I then removed snort and reinstalled it. That worked but the reload error was still there.
I had a lot of rules active so I tried using one of the predefined rule sets (connectivity). Success! It now load the rules without error.
I also tried the predefined setting "security", and that also worked.

Using the "security" rule preset, snort grabs 1.2GB RAM. With my old ruleset it took all available RAM and then som of the swap toal about 2.2GB. I don't think using swap should cause snort to fail. There may be som rule I had activated before that is not part of the predefined set, and causes this error.

Best regards,

Johan

What is your pattern matcher set for on the Snort Interface Settings tab?  The suggested value is AC-BNFA or AC-BNFA-NQ.  Any other setting will cause Snort to eat memory like crazy, and can result in an out-of-memory scenario.

Bill

johanstrand

Hi!

I had it set to AC. I changed to AC-BNFA and it Went from 1.3GB to 380MB. Maybe this was the reason for the original problem. I am still suspicious of the rules because now (after resinstall) I can activate all rules using AC as the pattern matcher and snort starts without any problem and it takes about 1.4GB of RAM.

I can not reproduce the reconfig thread problem.

/Johan

bmeeks

@johanstrand:

Hi!

I had it set to AC. I changed to AC-BNFA and it Went from 1.3GB to 380MB. Maybe this was the reason for the original problem. I am still suspicious of the rules because now (after resinstall) I can activate all rules using AC as the pattern matcher and snort starts without any problem and it takes about 1.4GB of RAM.

I can not reproduce the reconfig thread problem.

/Johan

The AC pattern matcher will slowly gobble up RAM as it operates.  I have seen posts on other sites where users have had it gobble up 16 GB of RAM and more with a lot of traffic and rules.

There is no appreciable difference in the performance of any of the pattern matchers on today's hardware.  AC-BNFA or AC-BNFA-NQ is the suggested setting, and I would advise to never change it.

Bill