Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort crashed roughly shortly after startup

    Scheduled Pinned Locked Moved IDS/IPS
    25 Posts 3 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      The RAM guess was a longshot.  You are correct that Snort and the Service Watchdog package don't play well together.

      I am really stumped by your problem.  Have you tried the Suricata package?  It will do essentially the same thing as Snort.  The look and feel of the two packages are identical.  They share tons of the same PHP code for the GUI.

      Bill

      1 Reply Last reply Reply Quote 0
      • M
        McFuzz
        last edited by

        @bmeeks:

        The RAM guess was a longshot.  You are correct that Snort and the Service Watchdog package don't play well together.

        I am really stumped by your problem.  Have you tried the Suricata package?  It will do essentially the same thing as Snort.  The look and feel of the two packages are identical.  They share tons of the same PHP code for the GUI.

        Bill

        Hrm… I guess I can give that a shot; see what happens. I'll try and report back.

        1 Reply Last reply Reply Quote 0
        • M
          McFuzz
          last edited by

          Update: Odd things are happening…!

          So I decided to install Suricata to try it out. After installing it, I meant to start configuring it but accidentally clicked on snort as opposed to suricata from the services menu. Imagine my surprise when I noticed that snort was actually running...! I tried looking at system logs but considering the log gets rotated quickly, I was not able to find when it started.

          I decided to enable categories/rules and let it run - 20 minutes later, it was still running. I then decided to uninstall suricata figuring snort fixed itself however about 10 minutes after uninstalling, snort crapped out!

          So - I re-enabled snort, but it yet again crapped out about 5 minutes later. This got me thinking - I installed Suricata but did not configure it (just as last time), enabled snort and - it has been running for the past two hours. I've then uninstalled Suricata - but snort has not crashed as of yet. Will let it run and see how it behaves.

          Insanely odd behavior!

          1 Reply Last reply Reply Quote 0
          • M
            McFuzz
            last edited by

            Perhaps my happiness was pre-emptive: I enabled AppID, restarted snort and now the interface died relatively quickly.

            I will try the suricata trick.

            edit: did not work… let's see what happens if OpenAppID is off...

            edit2: nope, disabling OpenAppID did not work either.

            Back to square one - how is it that things worked fine for several hours and once OpenAppID was enabled, broke, and not that it is disabled, still broken? I guess suricata was just a coincidence.

            Edit 3: Decided to disable openappID, reinstall suricata and then enable snort interface - works! Enabled openappID - works! Forced update (cleared MD5 hashes) - works! So far it has been running for the past 2 hours with no issues... but Suricata is still installed (albeit not running).

            1 Reply Last reply Reply Quote 0
            • M
              McFuzz
              last edited by

              Welps - with openappid, snort crapped out about 2 hours after being fired up. Will try a lengthy test with AppID off.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.