Snort stops working



  • We have snort running on our firewalls in IPS mode and have been experienceing times in which snort just stops detecting the events. My short term fix was to have cron restart the service every few hours.  I also need help with that.  Please let me know if I need to provide any additional information.

    Curtis



  • Please post the necessary parts of your logfile and a screenshot of your configuration. How much RAM do you have?



  • Nothing in the log indicates that it stops (that I can tell),  it simply just stops detecting the types of attacks that I have it setup to block.  I only have SQL.rules enabled and with just that I have a constant, 24 hour a day list of IP's getting blocked.  During the times that I believe it is not running, I have no blocks and just to be sure I do an injection test myself.  They go by undetected.

    I'm running a Dell PE1700 w/2xXeon 2.4's and 2Gb memory if that matters.  I have Snort using the mwm performance setting currently.



  • @clamasters:

    We have snort running on our firewalls in IPS mode and have been experienceing times in which snort just stops detecting the events. My short term fix was to have cron restart the service every few hours.  I also need help with that.  Please let me know if I need to provide any additional information.

    Curtis

    See if you are not trying to use a problematic package!

    UnInstall The packages does not solve

    You maigt have to do reinstall everyting from the scratch….

    Try to not install many packages (5 are many), and do not use a problematic one.

    Regards.



  • I don't find this package problematic, I just have a problem with 1 issue.  The issue I now 100% believe revolves around the auto update process.  Everyday (I'm not sure when), the package tries to download/update the latest definitions from Snort.org, but if fails with the following error.

    Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98 .

    It gives me the option to do this manually and that seems to work.  I have read another post on here but did not feel comfortable messing with the conf file for this.

    I would be more than happy to give more information if that is what you all need.  Please let me know.

    Curtis



  • Does anyone know who the original package maintainer for Snort was?



  • He's no longer actively maintaining the package which is why his email address was removed.  The package is currently without a maintainer.



  • I just removed the package.  It needs a new maintainer.


Log in to reply