Bug #1982
closed
Snort exits on rules update and does not restart
0%
Description
Using Snort 2.9.0.5 pkg v. 2.0 on pfSense 2.0... using either autoupdate of rules or manual update of rules, if Snort is already running, the result is Snort stops. This issue is affecting a lot of people, see http://forum.pfsense.org/index.php/topic,41533.30.html. The only work-around I know of is to disable automatic update of rules, which is highly undesirable. For reference, I am currently using the Snort rules and the Emerging Threats rules.
A very edited log of the rules update:
The start:
Oct 21 12:04:52 pfSense2 SnortStartup1831: Snort Startup files Sync...
Oct 21 12:04:53 pfSense2 SnortStartup4228: Snort already running, soft restart
Oct 21 12:04:53 pfSense2 SnortStartup4345: Snort Soft Reload For 39540_em4...
Oct 21 12:04:53 pfSense2 snort20183:
Oct 21 12:04:53 pfSense2 snort20183:
Oct 21 12:04:53 pfSense2 snort20183: --== Reloading Snort --
Oct 21 12:04:53 pfSense2 snort[20183]: -- Reloading Snort ==--
<edit>
And the end:
Oct 21 12:04:56 pfSense2 snort20183: +---------------------[filtered events]-------------------
Oct 21 12:04:56 pfSense2 snort20183: +---------------------[filtered events]-------------------
Oct 21 12:04:56 pfSense2 snort20183: | gen-id=1 sig-id=2002911 type=Threshold tracking=sr
Oct 21 12:04:56 pfSense2 snort20183: | gen-id=1 sig-id=2002911 type=Threshold tracking=sr
Oct 21 12:04:56 pfSense2 snort20183: | gen-id=1 sig-id=2001219 type=Threshold tracking=sr
Oct 21 12:04:56 pfSense2 snort20183: | gen-id=1 sig-id=2001219 type=Threshold tracking=sr
Oct 21 12:04:57 pfSense2 snort20183: Snort exiting
Oct 21 12:04:57 pfSense2 snort20183: Snort exiting
Nothing too obvious there. It just exits for no apparent reason. BUT, let's:
[root@cenrallog pfSense2]# grep Reload snort.log
Oct 28 19:16:43 pfSense2 snort57972: --== Reloading Snort ==--
Oct 28 19:16:44 pfSense2 snort57972: Snort Reload: Any change to the dynamic detection configuration requires a restart.
Oct 28 19:16:44 pfSense2 snort57972: Reload via Signal HUP does not work if you aren't root or are chroot'ed.
[root@cenrallog pfSense2]#
[root@cenrallog pfSense2]# grep Reload messages.log
Oct 28 19:16:43 pfSense2 SnortStartup55009: Snort Soft Reload For 39540_em4...
OK, so it seems we are doing a soft reload, that looks like a HUP, and we may have a warning about that. Let's look in a little more detail:
[root@cenrallog pfSense2]# grep -C 5 "Reload via Signal HUP" snort.log
Oct 28 19:16:43 pfSense2 snort57972:
Oct 28 19:16:43 pfSense2 snort57972: Detection:
Oct 28 19:16:43 pfSense2 snort57972: Search-Method = AC-BNFA-Q
Oct 28 19:16:44 pfSense2 snort57972: Found pid path directive (/var/log/snort/run)
Oct 28 19:16:44 pfSense2 snort57972: Snort Reload: Any change to the dynamic detection configuration requires a restart.
Oct 28 19:16:44 pfSense2 snort57972: Reload via Signal HUP does not work if you aren't root or are chroot'ed.
Oct 28 19:16:45 pfSense2 snort57972: ===============================================================================
Oct 28 19:16:45 pfSense2 snort57972: Packet I/O Totals:
Oct 28 19:16:45 pfSense2 snort57972: Received: 2872854
Oct 28 19:16:45 pfSense2 snort57972: Analyzed: 2872848 (100.000%)
Oct 28 19:16:45 pfSense2 snort57972: Dropped: 0 ( 0.000%)
I have tested:
kill -HUP <snort pid>
logged in as root from an ssh shell, and that works fine (although there were no rule changes when I tried it), so maybe the HUP is not coming from root, or it's chroot'ed?
FYI, my HUP resulted in this, combined with a:
grep Reload snort.log
on my central log server. snort.log is just the snort process separated from the rest of the syslog messages.
Oct 28 19:26:29 pfSense2 snort4097: Reload thread starting...
Oct 28 19:26:29 pfSense2 snort4097: Reload thread started, thread 0x425e1d80 (4097)
Oct 28 19:27:23 pfSense2 snort4097: --== Reloading Snort --
Oct 28 19:28:18 pfSense2 snort[4097]: -- Reload Complete ==--
So this is presumably what SHOULD happen if one does a snort rules update with snort already running.
Updated by Cino . over 13 years ago
what platform btw? I'm running i386 and don't have this issue. Mine is set to update every 12 hours. Once in a while, maybe once every 3-4 weeks; snort will not start and I'll have to manually start it.
Updated by Seb A over 13 years ago
As reported above, this affects both i386 and x86 architectures according to reports in the link I gave:
http://forum.pfsense.org/index.php/topic,41533.30.html
I am personally using i386.
Which package version of Snort are you using? And which version of pfSense? 2.0?
Are you using both the Snort rules and the Emerging Threats rules? I am. I'm not sure about the other people.
Updated by Dim Hatz over 13 years ago
It seems that compiling snort with --enable-reload will allow snort to reload on receiving a SIGHUP without requiring it to be running as root.
http://groups.google.com/group/pulledpork-users/browse_thread/thread/00acf6e138df1a07 I run my snort instances as -u snorty.. sending a HUP from root works fine for me and has, it is much cleaner now though than the --enable-reload option has been added (and I configured with that) into snort. On Tue, Jan 26, 2010 at 5:00 PM, William <wil...@gmail.com> wrote: > It doesn't seem to matter if I am root or not when I send the HUP. > What seems to make a difference is whether or not snort itself is > running as root or as another user (eg. started as snort -u > someotheruser). If it is NOT running as root, then snort will respond > with the "Reload via Signal HUP..." message and not re-read its > config. > I posted a similar question to the Snort users list and someone from > Sourcefire explained the reasoning (snort needs to open pcap again, > which requires root privileges)
Updated by Ermal Luçi over 13 years ago
It is build like that by default on pfsense.
Updated by Ermal Luçi over 13 years ago
- Status changed from New to Feedback
- Priority changed from Urgent to Normal
Update pushed on package.
Updated by Jim Pingle almost 13 years ago
- Status changed from Feedback to Resolved