Netgate SG-1000 microFirewall

Author Topic: snort turning itself OFF  (Read 129 times)

0 Members and 1 Guest are viewing this topic.

Offline gryest

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
snort turning itself OFF
« on: February 03, 2018, 03:11:34 pm »
Hi
I noticed Snort turned itself off past few days after rules update. Rules update success but found Snort is stopped???
Not good at all. I was OK before even if rules update failed, it's never stopped by itself. I ran Snort package update 2 day ago but it still doing that.
Is anybody have same issue? What might be wrong or changed?
Thanks.

PS. i have Snort logs setup on local system (SSD) and checked log size option are limited. Log exceed memory should not be an issue.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3295
  • Karma: +862/-0
    • View Profile
Re: snort turning itself OFF
« Reply #1 on: February 03, 2018, 06:18:13 pm »
Hi
I noticed Snort turned itself off past few days after rules update. Rules update success but found Snort is stopped???
Not good at all. I was OK before even if rules update failed, it's never stopped by itself. I ran Snort package update 2 day ago but it still doing that.
Is anybody have same issue? What might be wrong or changed?
Thanks.

PS. i have Snort logs setup on local system (SSD) and checked log size option are limited. Log exceed memory should not be an issue.

Have you looked back through your firewall's system log to see what, if any, messages might have been logged by Snort as it restarted from the rules update?  The most likely possibility is a rule syntax error of some sort with one of your enabled rules (or even a newly added rule).  Those happen from time to time as the rules are modified by the authors/vendors.

Bill

Offline revengineer

  • Jr. Member
  • **
  • Posts: 71
  • Karma: +5/-0
    • View Profile
Re: snort turning itself OFF
« Reply #2 on: February 04, 2018, 08:05:54 am »
This happened to me yesterday as well. When I checked the interface, snort was stopped. I simply restarted and all is well. These issue happen so rarely and typically fix themselves, so that I am neither worried nor inclined to start a research project over this issue.

Offline gryest

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: snort turning itself OFF
« Reply #3 on: February 04, 2018, 09:31:23 am »
Hi
I noticed Snort turned itself off past few days after rules update. Rules update success but found Snort is stopped???
Not good at all. I was OK before even if rules update failed, it's never stopped by itself. I ran Snort package update 2 day ago but it still doing that.
Is anybody have same issue? What might be wrong or changed?
Thanks.

PS. i have Snort logs setup on local system (SSD) and checked log size option are limited. Log exceed memory should not be an issue.

Have you looked back through your firewall's system log to see what, if any, messages might have been logged by Snort as it restarted from the rules update?  The most likely possibility is a rule syntax error of some sort with one of your enabled rules (or even a newly added rule).  Those happen from time to time as the rules are modified by the authors/vendors.

Bill

Yes, I did. Rules update happened 00:07. Before that Snort shows some ping IP ("Misc Attacks") Log Alerts. After 00:07 nothing until I restarted snort in the morning. No any records in the system log. I will check logs if it's happen again.
Thanks.