Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort error: Could not create configuration reload thread

    Scheduled Pinned Locked Moved pfSense Packages
    11 Posts 4 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Slab
      last edited by

      Hi folks,

      I discovered yesterday that snort wasn't running on my pfsense (2.1.4 i386) box. The log gives the error "Could not create configuration reload thread.". Try as I might, I can't seem to get past this error. I've attempted to restart snort (after verifying from the shell that there indeed was no snort process running) I've updated the rules, and finally uninstalled and re-installed (which installed the latest version of Snort (2.9.7.0 pkg v3.2.1) …I was one or two releases behind previously).

      I've rarely encountered a scenario where a complete uninstall/reinstall didn't fix whatever issue I may have had with snort in the past ...but that's where I'm at now. Any ideas? Thanks very much!

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by

        Can you save your config and upgrade to the 2.1.5 64bit version and try again?

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @Slab:

          Hi folks,

          I discovered yesterday that snort wasn't running on my pfsense (2.1.4 i386) box. The log gives the error "Could not create configuration reload thread.". Try as I might, I can't seem to get past this error. I've attempted to restart snort (after verifying from the shell that there indeed was no snort process running) I've updated the rules, and finally uninstalled and re-installed (which installed the latest version of Snort (2.9.7.0 pkg v3.2.1) …I was one or two releases behind previously).

          I've rarely encountered a scenario where a complete uninstall/reinstall didn't fix whatever issue I may have had with snort in the past ...but that's where I'm at now. Any ideas? Thanks very much!

          I have never seen that error before.  That would be indicative of a memory exhaustion situation perhaps ???  Is that error in the log prefixed with a Snort PID?  Could you perhaps post that section of your system log so I can see that line and a few lines before and after?

          Bill

          1 Reply Last reply Reply Quote 0
          • S
            Slab
            last edited by

            @bmeeks:

            I have never seen that error before.  That would be indicative of a memory exhaustion situation perhaps ???  Is that error in the log prefixed with a Snort PID?  Could you perhaps post that section of your system log so I can see that line and a few lines before and after?

            Bill

            Hi Bill,

            I've rebooted the pfsense box a couple of times …pretty sure there isn't a memory issue (4 gigs mem ...only packages installed are snort and pfblocker). I've made no changes for several months (when I updated to 2.1.4), haven't had any problems until now.

            There is a pid in the log...

            
            Dec 25 15:07:32 	SnortStartup[46330]: Snort START for Internet(23958_em2)...
            Dec 25 15:08:02 	snort[78683]: Could not create configuration reload thread.
            
            

            …so it appears to briefly start (indeed, when I start snort from the dashboard and the subsequent "Status: Services" page comes up, it shows snort running but it terminates by the time I get to the system log.

            The only dynamic changes occurring on this box are the nightly rules updates ...not sure if something there is the culprit.

            Appreciate you help (and all your work on snort ...happy holidays!).

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @Slab:

              Hi Bill,

              I've rebooted the pfsense box a couple of times …pretty sure there isn't a memory issue (4 gigs mem ...only packages installed are snort and pfblocker). I've made no changes for several months (when I updated to 2.1.4), haven't had any problems until now.

              There is a pid in the log...

              
              Dec 25 15:07:32 	SnortStartup[46330]: Snort START for Internet(23958_em2)...
              Dec 25 15:08:02 	snort[78683]: Could not create configuration reload thread.
              
              

              …so it appears to briefly start (indeed, when I start snort from the dashboard and the subsequent "Status: Services" page comes up, it shows snort running but it terminates by the time I get to the system log.

              The only dynamic changes occurring on this box are the nightly rules updates ...not sure if something there is the culprit.

              Appreciate you help (and all your work on snort ...happy holidays!).

              Perhaps the configuration itself has become corrupted.  The error message indicates Snort is attempting to load (or reload) the configuration information.

              Try this from the command line:

              
              cd /usr/pbi/snort-amd64/etc/snort/snort_23958_em2
              snort -T -c ./snort.conf
              
              

              See if it correctly parses the snort.conf file for the interface.

              Bill

              1 Reply Last reply Reply Quote 0
              • S
                Slab
                last edited by

                @bmeeks:

                Perhaps the configuration itself has become corrupted.  The error message indicates Snort is attempting to load (or reload) the configuration information.

                Try this from the command line:

                
                cd /usr/pbi/snort-amd64/etc/snort/snort_23958_em2
                snort -T -c ./snort.conf
                
                

                See if it correctly parses the snort.conf file for the interface.

                Hi Bill,

                It appears to successfully parse the configuration file:

                
                Snort successfully validated the configuration!
                Snort exiting
                
                

                There was one "threshold deprecated" warning that I saw, but it appears the config is fine.

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @Slab:

                  Hi Bill,

                  It appears to successfully parse the configuration file:

                  
                  Snort successfully validated the configuration!
                  Snort exiting
                  
                  

                  There was one "threshold deprecated" warning that I saw, but it appears the config is fine.

                  Hmm…I'm puzzled now.  I was sort of hoping for an error in the config.  Let me research the error message a bit in the Snort binary source code to see if that gives me any hints.  A quick Google search just now turned up not very much.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • J
                    johanstrand
                    last edited by

                    Hi!

                    I the same problem appeard on my box (pfSense 2.1.5, Intel Atom with 2GB RAM) late December. No config changes, just normal auto update of snort-rules.

                    Today I tried to resinstall using the new package (2.9.7.0) but the problem persist. It even broke all the UI-Components…

                    I then removed snort and reinstalled it. That worked but the reload error was still there.
                    I had a lot of rules active so I tried using one of the predefined rule sets (connectivity). Success! It now load the rules without error.
                    I also tried the predefined setting "security", and that also worked.

                    Using the "security" rule preset, snort grabs 1.2GB RAM. With my old ruleset it took all available RAM and then som of the swap toal about 2.2GB. I don't think using swap should cause snort to fail. There may be som rule I had activated before that is not part of the predefined set, and causes this error.

                    Best regards,

                    Johan

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @johanstrand:

                      Hi!

                      I the same problem appeard on my box (pfSense 2.1.5, Intel Atom with 2GB RAM) late December. No config changes, just normal auto update of snort-rules.

                      Today I tried to resinstall using the new package (2.9.7.0) but the problem persist. It even broke all the UI-Components…

                      I then removed snort and reinstalled it. That worked but the reload error was still there.
                      I had a lot of rules active so I tried using one of the predefined rule sets (connectivity). Success! It now load the rules without error.
                      I also tried the predefined setting "security", and that also worked.

                      Using the "security" rule preset, snort grabs 1.2GB RAM. With my old ruleset it took all available RAM and then som of the swap toal about 2.2GB. I don't think using swap should cause snort to fail. There may be som rule I had activated before that is not part of the predefined set, and causes this error.

                      Best regards,

                      Johan

                      What is your pattern matcher set for on the Snort Interface Settings tab?  The suggested value is AC-BNFA or AC-BNFA-NQ.  Any other setting will cause Snort to eat memory like crazy, and can result in an out-of-memory scenario.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • J
                        johanstrand
                        last edited by

                        Hi!

                        I had it set to AC. I changed to AC-BNFA and it Went from 1.3GB to 380MB. Maybe this was the reason for the original problem. I am still suspicious of the rules because now (after resinstall) I can activate all rules using AC as the pattern matcher and snort starts without any problem and it takes about 1.4GB of RAM.

                        I can not reproduce the reconfig thread problem.

                        /Johan

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @johanstrand:

                          Hi!

                          I had it set to AC. I changed to AC-BNFA and it Went from 1.3GB to 380MB. Maybe this was the reason for the original problem. I am still suspicious of the rules because now (after resinstall) I can activate all rules using AC as the pattern matcher and snort starts without any problem and it takes about 1.4GB of RAM.

                          I can not reproduce the reconfig thread problem.

                          /Johan

                          The AC pattern matcher will slowly gobble up RAM as it operates.  I have seen posts on other sites where users have had it gobble up 16 GB of RAM and more with a lot of traffic and rules.

                          There is no appreciable difference in the performance of any of the pattern matchers on today's hardware.  AC-BNFA or AC-BNFA-NQ is the suggested setting, and I would advise to never change it.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.