Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort: Could not read appName. Line Snort Differs AppKey paltalkfiletransfer …

    IDS/IPS
    2
    4
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfcode
      last edited by

      Hi,

      Today, after Snort auto updates its rule set, got the following error in the system logs, and the Snort Wan interface were not started:

      Dec 27 14:00:44  snort[66215]: Could not read appName. Line Snort Differs AppKey paltalkfiletransfer -> paltalkfiletran
      Dec 27 14:00:44  php-fpm[54589]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(igb0)…

      What is the cause? BTW, I just enabled Snort OpenAppID recently.

      Release: pfSense 2.4.3(amd64)
      M/B: Supermicro A1SRi-2558F
      HDD: Intel X25-M 160G
      RAM: 2x8Gb Kingston ECC ValueRAM
      AP: Netgear R7000 (XWRT), Unifi AC Pro

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        This means there is an error in the downloaded AppID files (likely from the update).  The Snort VRT folks should eventually fix it, or you can visit the Snort VRT Mailing List and see if anyone else has reported and/or if a fix is available yet.

        Bill

        1 Reply Last reply Reply Quote 0
        • P
          pfcode
          last edited by

          WAN interface was not auto started again for some reason, I saw 3 snort instances were running by using "top" command, while there really should be only 2 (one for WAN, one for LAN).  the update logs indicated everything were updated successfully, but WAN interface just wasn't restarted, had to do it manually, LAN was OK though.

          Release: pfSense 2.4.3(amd64)
          M/B: Supermicro A1SRi-2558F
          HDD: Intel X25-M 160G
          RAM: 2x8Gb Kingston ECC ValueRAM
          AP: Netgear R7000 (XWRT), Unifi AC Pro

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Multiple instances happens sometimes when the pfSense core code sends more than one "restart packages" command in a short time interval.  This can happen, for instance, during a WAN IP update caused by DHCP (if you have that configured on the WAN side).  There are a few other triggers of the "restart packages" command.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post