Actions
Bug #7866
closed
snort version 3.2.9.5_1 shows WAN status as stopped
Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Package System
Target version:
-
Start date:
09/16/2017
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
Description
After updating to snort version 3.2.9.5_1 status for WAN is always shown as stopped via Services/Snort/Interfaces
See attched
Files
Updated by Kill Bill over 6 years ago
Please use forums [1] for support. There's no info here to identify any bug, plus there were no changes whatsoever regarding WAN in _1, the only code that changed was XMLRPC sync.
Updated by Yuri Weinstein over 6 years ago
Ok posted on forum
So no bugs against snort are to be logged ?
What is unclear from this issue ?
Thx
Updated by Yuri Weinstein over 6 years ago
Here is snippet from the system log:
Sep 16 14:20:08 barnyard2 41362 Opened spool file '/var/log/snort/snort_igb012131/snort_12131_igb0.u2.1505329571' Sep 16 14:20:08 barnyard2 41362 Using waldo file '/var/log/snort/snort_igb012131/barnyard2/12131_igb0.waldo': spool directory = /var/log/snort/snort_igb012131 spool filebase = snort_12131_igb0.u2 time_stamp = 1505329571 record_idx = 0 Sep 16 14:20:08 barnyard2 41061 Log directory = /var/log/snort/snort_igb012131 Sep 16 14:20:08 barnyard2 41061 Parsing config file "/usr/local/etc/snort/snort_12131_igb0/barnyard2.conf" Sep 16 14:20:08 php-fpm 1818 /snort/snort_interfaces.php: [Snort] Barnyard2 START for WAN(igb0)... Sep 16 14:20:08 php-fpm 1818 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 12131 -D -q --suppress-config-log -l /var/log/snort/snort_igb012131 --pid-path /var/run --nolock-pidfile -G 12131 -c /usr/local/etc/snort/snort_12131_igb0/snort.conf -i igb0' returned exit code '1', the output was '' Sep 16 14:20:08 snort 40961 FATAL ERROR: /usr/local/etc/snort/snort_12131_igb0/rules/snort.rules(424) Unknown rule option: 'sd_pattern'. Sep 16 14:20:08 php-fpm 1818 /snort/snort_interfaces.php: [Snort] Snort START for WAN(igb0)... Sep 16 14:20:08 php-fpm 1818 /snort/snort_interfaces.php: Starting Snort on WAN(igb0) per user request... Sep 16 14:20:08 php-fpm 1818 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for LAN... Sep 16 14:20:07 php-fpm 1818 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN... Sep 16 14:20:04 php-fpm 1818 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN ... Sep 16 14:20:04 php-fpm 1818 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN... Sep 16 14:20:03 php-fpm 1818 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN... Sep 16 14:19:59 php-fpm 1818 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ... Sep 16 14:19:50 php-fpm 95363 /snort/snort_interfaces_edit.php: End of portal.pfsense.org configuration backup (success). Sep 16 14:19:46 php-fpm 95363 /snort/snort_interfaces_edit.php: Beginning https://portal.pfsense.org configuration backup. Sep 16 14:19:24 barnyard2 96988 Opened spool file '/var/log/snort/snort_igb136179/snort_36179_igb1.u2.1505596764' Sep 16 14:19:24 barnyard2 96988 Closing spool file '/var/log/snort/snort_igb136179/snort_36179_igb1.u2.1505588722'. Read 0 records Sep 16 14:19:24 barnyard2 96988 Opened spool file '/var/log/snort/snort_igb136179/snort_36179_igb1.u2.1505588722' Sep 16 14:19:24 barnyard2 96988 Using waldo file '/var/log/snort/snort_igb136179/barnyard2/36179_igb1.waldo': spool directory = /var/log/snort/snort_igb136179 spool filebase = snort_36179_igb1.u2 time_stamp = 1505588722 record_idx = 0 Sep 16 14:19:24 barnyard2 96973 Log directory = /var/log/snort/snort_igb136179 Sep 16 14:19:24 barnyard2 96973 Parsing config file "/usr/local/etc/snort/snort_36179_igb1/barnyard2.conf" Sep 16 14:19:24 php-fpm 88766 /snort/snort_interfaces.php: [Snort] Barnyard2 START for LAN(igb1)... Sep 16 14:19:24 php-fpm 88766 /snort/snort_interfaces.php: [Snort] Snort START for LAN(igb1)... Sep 16 14:19:24 barnyard2 78337 Closing spool file '/var/log/snort/snort_igb136179/snort_36179_igb1.u2.1505588722'. Read 0 records Sep 16 14:19:24 php-fpm 88766 /snort/snort_interfaces.php: [Snort] Barnyard2 STOP for LAN(igb1)... Sep 16 14:19:22 php-fpm 88766 /snort/snort_interfaces.php: [Snort] Snort STOP for LAN(igb1)... Sep 16 14:19:22 php-fpm 88766 /snort/snort_interfaces.php: Restarting Snort on LAN(igb1) per user request... Sep 16 14:19:22 php-fpm 88766 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for LAN... Sep 16 14:19:21 php-fpm 88766 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN... Sep 16 14:19:17 php-fpm 88766 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN ... Sep 16 14:19:09 php-fpm 84582 /snort/snort_interfaces_edit.php: End of portal.pfsense.org configuration backup (success). Sep 16 14:19:06 php-fpm 84582 /snort/snort_interfaces_edit.php: Beginning https://portal.pfsense.org configuration backup. Sep 16 14:19:06 barnyard2 58448 Closing spool file '/var/log/snort/snort_igb012131/snort_12131_igb0.u2.1505329571'. Read 0 records Sep 16 14:19:06 php-fpm 84582 /snort/snort_interfaces_edit.php: [Snort] Barnyard2 STOP for WAN(igb0)... Sep 16 14:15:45 barnyard2 58448 Opened spool file '/var/log/snort/snort_igb012131/snort_12131_igb0.u2.1505329571' Sep 16 14:15:45 barnyard2 58448 Using waldo file '/var/log/snort/snort_igb012131/barnyard2/12131_igb0.waldo': spool directory = /var/log/snort/snort_igb012131 spool filebase = snort_12131_igb0.u2 time_stamp = 1505329571 record_idx = 0 Sep 16 14:15:45 barnyard2 58192 Log directory = /var/log/snort/snort_igb012131 Sep 16 14:15:45 barnyard2 58192 Parsing config file "/usr/local/etc/snort/snort_12131_igb0/barnyard2.conf" Sep 16 14:15:45 php-fpm 48223 /snort/snort_interfaces.php: [Snort] Barnyard2 START for WAN(igb0)... Sep 16 14:15:45 php-fpm 48223 /snort/snort_interfaces.php: Starting Barnyard2 on WAN(igb0) per user request... Sep 16 14:15:45 php-fpm 48223 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for LAN... Sep 16 14:15:45 php-fpm 48223 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN... Sep 16 14:15:41 php-fpm 48223 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN ... Sep 16 14:15:41 php-fpm 48223 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN... Sep 16 14:15:41 php-fpm 48223 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN... Sep 16 14:15:37 php-fpm 48223 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ... Sep 16 14:15:01 barnyard2 77595 Closing spool file '/var/log/snort/snort_igb012131/snort_12131_igb0.u2.1505329571'. Read 0 records Sep 16 14:15:01 php-fpm 20121 /snort/snort_interfaces.php: [Snort] Barnyard2 STOP for WAN(igb0)... Sep 16 14:15:01 php-fpm 20121 /snort/snort_interfaces.php: Stopping Barnyard2 on WAN(igb0) per user request... Sep 16 12:10:00 php /usr/local/pkg/snort/snort_check_cron_misc.inc: [Snort] Barnyard2 archived logs cleanup job removed 1 file(s) from /var/log/snort/snort_igb136179/barnyard2/archive/... Sep 16 12:05:55 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: New alert found: An error occurred while uploading your pfSense configuration to portal.pfsense.org () Sep 16 12:05:55 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: An error occurred while uploading your pfSense configuration to portal.pfsense.org () - Sep 16 12:05:25 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: Beginning https://portal.pfsense.org configuration backup. Sep 16 12:05:25 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished. Sep 16 12:05:25 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort has restarted with your new set of rules... Sep 16 12:05:23 barnyard2 78337 Opened spool file '/var/log/snort/snort_igb136179/snort_36179_igb1.u2.1505588722' Sep 16 12:05:23 barnyard2 78337 Closing spool file '/var/log/snort/snort_igb136179/snort_36179_igb1.u2.1505573402'. Read 0 records Sep 16 12:05:22 snort 77239 FATAL ERROR: /usr/local/etc/snort/snort_12131_igb0/rules/snort.rules(424) Unknown rule option: 'sd_pattern'. Sep 16 12:05:22 barnyard2 77595 Opened spool file '/var/log/snort/snort_igb012131/snort_12131_igb0.u2.1505329571' Sep 16 12:05:22 barnyard2 77595 Using waldo file '/var/log/snort/snort_igb012131/barnyard2/12131_igb0.waldo': spool directory = /var/log/snort/snort_igb012131 spool filebase = snort_12131_igb0.u2 time_stamp = 1505329571 record_idx = 0 Sep 16 12:05:22 barnyard2 77595 Log directory = /var/log/snort/snort_igb012131 Sep 16 12:05:22 barnyard2 78337 Opened spool file '/var/log/snort/snort_igb136179/snort_36179_igb1.u2.1505573402' Sep 16 12:05:22 barnyard2 78337 Using waldo file '/var/log/snort/snort_igb136179/barnyard2/36179_igb1.waldo': spool directory = /var/log/snort/snort_igb136179 spool filebase = snort_36179_igb1.u2 time_stamp = 1505573402 record_idx = 0 Sep 16 12:05:22 barnyard2 78337 Log directory = /var/log/snort/snort_igb136179 Sep 16 12:05:22 barnyard2 78337 Parsing config file "/usr/local/etc/snort/snort_36179_igb1/barnyard2.conf" Sep 16 12:05:22 barnyard2 77595 Parsing config file "/usr/local/etc/snort/snort_12131_igb0/barnyard2.conf" Sep 16 12:05:22 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Barnyard2 START for LAN(igb1)... Sep 16 12:05:22 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort START for LAN(igb1)... Sep 16 12:05:22 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Barnyard2 START for WAN(igb0)... Sep 16 12:05:22 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort START for WAN(igb0)... Sep 16 12:05:20 barnyard2 27749 Closing spool file '/var/log/snort/snort_igb136179/snort_36179_igb1.u2.1505573402'. Read 0 records Sep 16 12:05:20 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Barnyard2 STOP for LAN(igb1)... Sep 16 12:05:18 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort STOP for LAN(igb1)... Sep 16 12:05:18 barnyard2 96348 Closing spool file '/var/log/snort/snort_igb012131/snort_12131_igb0.u2.1505329571'. Read 0 records Sep 16 12:05:18 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Barnyard2 STOP for WAN(igb0)... Sep 16 12:05:18 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for LAN... Sep 16 12:05:18 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN... Sep 16 12:05:14 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN ... Sep 16 12:05:14 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for WAN... Sep 16 12:05:13 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN... Sep 16 12:05:10 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN ... Sep 16 12:05:09 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date... Sep 16 12:05:09 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully Sep 16 12:05:08 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz... Sep 16 12:05:07 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort OpenAppID RULES detectors file update downloaded successfully Sep 16 12:05:06 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Snort OpenAppID RULES detectors posted. Downloading appid_rules.tar.gz... Sep 16 12:05:04 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors are up to date... Sep 16 12:05:02 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort VRT rules are up to date... Sep 16 10:02:58 php-fpm 36204 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 12131 -D -q --suppress-config-log -l /var/log/snort/snort_igb012131 --pid-path /var/run --nolock-pidfile -G 12131 -c /usr/local/etc/snort/snort_12131_igb0/snort.conf -i igb0' returned exit code '1', the output was '' Sep 16 10:02:58 snort 45505 FATAL ERROR: /usr/local/etc/snort/snort_12131_igb0/rules/snort.rules(424) Unknown rule option: 'sd_pattern'.
Updated by Kill Bill over 6 years ago
Sep 16 12:05:22 snort 77239 FATAL ERROR: /usr/local/etc/snort/snort_12131_igb0/rules/snort.rules(424) Unknown rule option: 'sd_pattern'.
As noted on the forum, this is a broken rule breaking your WAN instance. This is not a package bug, and Snort doesn't handle broken rules gracefully, unlike Suricata.
Updated by 
Actions