pfSense Support Subscription

Author Topic: Snort stops working after snort update (newest 2.0 RELEASE)  (Read 25607 times)

0 Members and 1 Guest are viewing this topic.

Offline miles267

  • Full Member
  • ***
  • Posts: 240
  • Karma: +0/-0
    • View Profile
Snort stops working after snort update (newest 2.0 RELEASE)
« on: September 28, 2011, 06:03:07 pm »
Since upgrading from a working 2.0 RC3 to 2.0-RELEASE, Snort consistently stops on my WAN connection following each Snort update (auto or manual).  It requires you to manually start it via Services > Snort > Snort Interfaces.  However it will then fail again the next snort definitions update and so on.  Has anyone identified a resolution for this behavior?

Offline serialdie

  • Sr. Member
  • ****
  • Posts: 395
  • Karma: +0/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #1 on: September 28, 2011, 09:15:35 pm »
same here.

Offline miles267

  • Full Member
  • ***
  • Posts: 240
  • Karma: +0/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #2 on: September 28, 2011, 09:21:32 pm »
same here.

Hi I noticed someone else recommended you change your snort interface settings to AC-BNFA mode to lower memory usage.  I was set to AC-STD prior to upgrade and everything worked fine.  Now that I changed to AC-BNFA after upgrade it appears to be working so far.  Will keep monitoring.

Offline serialdie

  • Sr. Member
  • ****
  • Posts: 395
  • Karma: +0/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #3 on: September 28, 2011, 09:34:14 pm »
same here.

Hi I noticed someone else recommended you change your snort interface settings to AC-BNFA mode to lower memory usage.  I was set to AC-STD prior to upgrade and everything worked fine.  Now that I changed to AC-BNFA after upgrade it appears to be working so far.  Will keep monitoring.

I just changed it but I dont see how this can be an issue. I have 4Gigs of ram...
Hopefully this does the job :)

Thanks

Offline miles267

  • Full Member
  • ***
  • Posts: 240
  • Karma: +0/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #4 on: September 28, 2011, 09:44:56 pm »
I too have 4 GB of RAM but somehow it seems to have resolved my issue and dramatically reduced my memory usage.

Offline miles267

  • Full Member
  • ***
  • Posts: 240
  • Karma: +0/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #5 on: September 29, 2011, 08:37:20 am »
I made a post about this as well. However I just started trying to use it so don't know if it was an issue in the past. However I just tried to adjust my memory usage to AC-BNFA & my WAN interface still will not start.

Perhaps I spoke too soon.  It would appear that, after, Snort performs its scheduled definitions update (and attempts to restart), it crashes.  I must then manually start each snort interface but monitor periodically to ensure they didn't stop.  Haven't yet identified any pattern in the logs to indicate what might be causing it to stop.  Also, am not quite convinced that changing memory setting from AC-STD to AC-BNFA has any impact at all.

Offline serialdie

  • Sr. Member
  • ****
  • Posts: 395
  • Karma: +0/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #6 on: September 29, 2011, 02:35:52 pm »
I made a post about this as well. However I just started trying to use it so don't know if it was an issue in the past. However I just tried to adjust my memory usage to AC-BNFA & my WAN interface still will not start.

Perhaps I spoke too soon.  It would appear that, after, Snort performs its scheduled definitions update (and attempts to restart), it crashes.  I must then manually start each snort interface but monitor periodically to ensure they didn't stop.  Haven't yet identified any pattern in the logs to indicate what might be causing it to stop.  Also, am not quite convinced that changing memory setting from AC-STD to AC-BNFA has any impact at all.

As I thought.
I think the issue is that snort has some how change there definition pattern once again.
« Last Edit: September 29, 2011, 02:38:41 pm by serialdie »

Offline miles267

  • Full Member
  • ***
  • Posts: 240
  • Karma: +0/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #7 on: September 29, 2011, 03:24:49 pm »
How is this thread not firing off sirens?  We surely aren't the only ones having this issue.  Would expect the majority of users are experiencing this but simply haven't checked their snort interface statuses to ensure they stay running (without a restart)

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3363
  • Karma: +0/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #8 on: September 29, 2011, 03:28:55 pm »
Well probably a bug in snort which does not like to reload the rulesets.
Maybe changing snort to stop and start again would be a better choice i guess.

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3363
  • Karma: +0/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #9 on: September 30, 2011, 08:47:57 am »
BTW can you post the system logs here for review and hopefully fixing that?

Offline serialdie

  • Sr. Member
  • ****
  • Posts: 395
  • Karma: +0/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #10 on: September 30, 2011, 08:49:31 am »
ermal,

I been trying to catch it but is so random that I have been unable to... usually happens overnight...

Offline mschiek01

  • Full Member
  • ***
  • Posts: 153
  • Karma: +0/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #11 on: September 30, 2011, 09:16:46 am »
Ermal here is the system log.
Sep 30 09:03:55    snort[5170]: Snort exiting
Sep 30 09:03:55    snort[5170]: Snort exiting
Sep 30 09:03:54    snort[6986]: Snort exiting
Sep 30 09:03:54    snort[6986]: Snort exiting
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2408044 type=Limit tracking=src count=1 seconds=60 filtered=8
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2408044 type=Limit tracking=src count=1 seconds=60 filtered=8
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2406628 type=Limit tracking=src count=1 seconds=60 filtered=18
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2406628 type=Limit tracking=src count=1 seconds=60 filtered=18
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2403304 type=Limit tracking=src count=1 seconds=3600 filtered=1
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2403304 type=Limit tracking=src count=1 seconds=3600 filtered=1
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2001569 type=Both tracking=src count=70 seconds=60 filtered=331
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2001569 type=Both tracking=src count=70 seconds=60 filtered=331
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2406036 type=Limit tracking=src count=1 seconds=60 filtered=4
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2406036 type=Limit tracking=src count=1 seconds=60 filtered=4
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2001579 type=Both tracking=src count=70 seconds=60 filtered=330
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2001579 type=Both tracking=src count=70 seconds=60 filtered=330
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2408002 type=Limit tracking=src count=1 seconds=60 filtered=31
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2408002 type=Limit tracking=src count=1 seconds=60 filtered=31
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2406690 type=Limit tracking=src count=1 seconds=60 filtered=2
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2406690 type=Limit tracking=src count=1 seconds=60 filtered=2
Sep 30 09:03:53    snort[5170]: | gen-id=1 sig-id=2403312 type=Limit tracking=src count=1 seconds=3600 filtered

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 1105
  • Karma: +2/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #12 on: September 30, 2011, 12:31:52 pm »
Just to add confirmation -- I, too, have noticed this behavior of Snort not restarting upon a rules update.  However, you can immediately manually start it without issue.  Like one of the other posters, the only message in the log of note is "...snort exiting."  Not much help for troubleshooting.

I discovered my event by kicking off a manual update and then coming back an hour later to check that everything was cool.  Found pfSense running fine but Snort not running.  I looked in the log and saw only the "snort exiting" message.  I made no changes to anything and simply clicked the little green arrow icon to start Snort.  It then started up successfully.

This seems to have only occurred after my upgrade to the 2.0-Release.  Prior to that I was running the Release Candidate (RC3) and did not see this issue.

Offline Slab

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #13 on: October 03, 2011, 09:17:22 am »
I'm experiencing the same problem since upgrading to 2.0-Release. The system log shows the usual Snort initialization messages but with the last one indicating 'Snort exiting' and it generally occurs just after midnight EST (I assume after a ruleset update ...which I have set for once a day).

I also used to run with the AC-STD memory setting, but can no longer do so since the upgrade (Snort won't run for more than an hour or two with AC-STD, so I changed to AC-SPARSEBANDS). Last, Snort seems to take quite a bit longer to start up (several minutes) since the upgrade.

I hope that this problem is going to be investigated ... thx.

Offline xarope

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Snort stops working after snort update (newest 2.0 RELEASE)
« Reply #14 on: October 04, 2011, 11:51:17 pm »
I hate to post a "me too" reply, but unfortunately, me too. Snort 2.9.0.5 pkg 2.0, pfsense 2.0-RELEASE (i386)
built on Tue Sep 13 17:28:43 EDT 2011.

All I can find in the kernel log for snort is "snort exiting".  And as with the others, this always happens overnight.  Unlike the others, I had upgraded/updated to 2.0 final, a few weeks ago.  But only noticed this behaviour since, maybe end of last week?

Prior to that, snort had been running ok.

So I'm suspecting maybe it's one of the rules that's causing a problem?  From memory, one of the snort categories always caused me problems (e.g. snort_exploit.rules), so maybe another is doing the same thing?

Update: I just tried a manual update of rules, and restarted snort.  Now the snort instance running on my WAN interface (AC-BNFA) has died a few minutes later (15 minutes), and with an error message "kernel: pid 23257 (snort), uid 920: exited on signal 11".  More logs:

Code: [Select]
Oct 5 11:32:43 snort[35687]: PID path stat checked out ok, PID path set to /var/log/snort/run
Oct 5 11:32:43 snort[35687]: PID path stat checked out ok, PID path set to /var/log/snort/run
Oct 5 11:32:43 snort[35687]: Writing PID "35687" to file "/var/log/snort/run/snort_em0_vlan78035309.pid"
Oct 5 11:32:43 snort[35687]: Writing PID "35687" to file "/var/log/snort/run/snort_em0_vlan78035309.pid"
Oct 5 11:32:43 snort[35687]: Set gid to 920
Oct 5 11:32:43 snort[35687]: Set gid to 920
Oct 5 11:32:43 snort[35687]: Set uid to 920
Oct 5 11:32:43 snort[35687]: Set uid to 920
Oct 5 11:32:43 snort[35687]:
Oct 5 11:32:43 snort[35687]:
Oct 5 11:32:43 snort[35687]: --== Initialization Complete ==--
Oct 5 11:32:43 snort[35687]: --== Initialization Complete ==--
Oct 5 11:32:43 snort[35687]: Commencing packet processing (pid=35687)
Oct 5 11:32:43 snort[35687]: Commencing packet processing (pid=35687)
Oct 5 11:48:26 kernel: pid 23257 (snort), uid 920: exited on signal 11
« Last Edit: October 04, 2011, 11:54:42 pm by xarope »