Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort randomly crashing

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Justin53
      last edited by

      Randomly started happening a few days ago one interface will randomly crash. I have snort running on both WAN & LAN.

      Sep 30 06:06:51 	kernel: pid 82192 (snort), uid 0: exited on signal 11
      Sep 30 06:06:40 	php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date...
      Sep 30 06:06:40 	php: snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
      Sep 30 06:06:39 	php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
      Sep 30 06:06:38 	php: snort_check_for_rule_updates.php: [Snort] Server returned error code 503...
      Sep 30 06:06:38 	php: snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors md5 download failed...
      Sep 30 06:06:08 	php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
      Sep 30 06:05:25 	php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2975.tar.gz...
      
      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        You may have multiple Snort instances running.  Stop all Snort instances using the GUI, and then execute this command from the CLI:

        
        ps -ax |grep snort
        
        

        You should see no running Snort processes if everything is stopped from the GUI.  If you see a Snort process running, kill it and then restart everything from the Snort GUI.

        Have you looked in the system log to see if any other messages are being logged when Snort dies?

        Bill

        1 Reply Last reply Reply Quote 0
        • J
          Justin53
          last edited by

          There was a second instance running after I stopped all instances in the GUI, strange… what would cause thiss to happen?

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Usually caused when pfSense does a "restart all packages" command in response to the events that trigger that (change in WAN IP is one, but there are others).  Snort takes a long time to start.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.