Snort randomly crashing



  • Randomly started happening a few days ago one interface will randomly crash. I have snort running on both WAN & LAN.

    Sep 30 06:06:51 	kernel: pid 82192 (snort), uid 0: exited on signal 11
    Sep 30 06:06:40 	php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date...
    Sep 30 06:06:40 	php: snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
    Sep 30 06:06:39 	php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
    Sep 30 06:06:38 	php: snort_check_for_rule_updates.php: [Snort] Server returned error code 503...
    Sep 30 06:06:38 	php: snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors md5 download failed...
    Sep 30 06:06:08 	php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
    Sep 30 06:05:25 	php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2975.tar.gz...
    


  • You may have multiple Snort instances running.  Stop all Snort instances using the GUI, and then execute this command from the CLI:

    
    ps -ax |grep snort
    
    

    You should see no running Snort processes if everything is stopped from the GUI.  If you see a Snort process running, kill it and then restart everything from the Snort GUI.

    Have you looked in the system log to see if any other messages are being logged when Snort dies?

    Bill



  • There was a second instance running after I stopped all instances in the GUI, strange… what would cause thiss to happen?



  • Usually caused when pfSense does a "restart all packages" command in response to the events that trigger that (change in WAN IP is one, but there are others).  Snort takes a long time to start.

    Bill


Log in to reply