Snort: Could not read appName. Line Snort Differs AppKey paltalkfiletransfer …
-
Hi,
Today, after Snort auto updates its rule set, got the following error in the system logs, and the Snort Wan interface were not started:
Dec 27 14:00:44 snort[66215]: Could not read appName. Line Snort Differs AppKey paltalkfiletransfer -> paltalkfiletran
Dec 27 14:00:44 php-fpm[54589]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(igb0)…What is the cause? BTW, I just enabled Snort OpenAppID recently.
-
This means there is an error in the downloaded AppID files (likely from the update). The Snort VRT folks should eventually fix it, or you can visit the Snort VRT Mailing List and see if anyone else has reported and/or if a fix is available yet.
Bill
-
WAN interface was not auto started again for some reason, I saw 3 snort instances were running by using "top" command, while there really should be only 2 (one for WAN, one for LAN). the update logs indicated everything were updated successfully, but WAN interface just wasn't restarted, had to do it manually, LAN was OK though.
-
Multiple instances happens sometimes when the pfSense core code sends more than one "restart packages" command in a short time interval. This can happen, for instance, during a WAN IP update caused by DHCP (if you have that configured on the WAN side). There are a few other triggers of the "restart packages" command.
Bill
