Snort mailing list archives

Re: Snort 2.9.11.1 daemon crashes after running for few days (SEGV and Dynamic Rule not initialized properly)

From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Wed, 7 Mar 2018 17:10:20 +0000

Adding "bugs () snort org<mailto:bugs () snort org>" to this email.


--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>






On Mar 7, 2018, at 11:55 AM, Black Lion via Snort-users <snort-users () lists snort org<mailto:snort-users () lists 
snort org>> wrote:

Hello

I have recently installed Snort on Ubuntu Server 16.04.4 (Snot version 2.9.11.1 installed from source). I have also 
setup PulledPork and new snort rules are downloaded automatically via a cron job. I have noticed that after a few days 
of running the Snort daemon, it stops running with the SEGV status, which I can see by running the 'service snort 
status' command. I also noticed that about a minute before Snort crashes, there are a number of messages showing 
'Dynamic Rule [x:y] was not initialized properly'. I have included the output of the 'service snort status' command 
below:

● snort.service - Snort NIDS Daemon
   Loaded: loaded (/lib/systemd/system/snort.service; enabled; vendor preset: enabled)
   Active: failed (Result: core-dump) since Fri 2018-03-02 09:10:43 SAST; 2 days ago
  Process: 6098 ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eno1 (code=dumped, 
signal=SEGV)
 Main PID: 6098 (code=dumped, signal=SEGV)

Mar 02 09:10:43 SERVER92537 snort[6098]: Dynamic Rule [3:16533] was not initialized properly.
Mar 02 09:10:43 SERVER92537 snort[6098]: Dynamic Rule [3:26877] was not initialized properly.
Mar 02 09:10:43 SERVER92537 snort[6098]: Dynamic Rule [3:16408] was not initialized properly.
Mar 02 09:10:43 SERVER92537 snort[6098]: Dynamic Rule [3:15912] was not initialized properly.
Mar 02 09:10:43 SERVER92537 snort[6098]: Dynamic Rule [3:7019] was not initialized properly.
Mar 02 09:10:43 SERVER92537 snort[6098]: Dynamic Rule [3:8351] was not initialized properly.
Mar 02 09:10:43 SERVER92537 snort[6098]: Dynamic Rule [3:38834] was not initialized properly.
Mar 02 09:10:43 SERVER92537 systemd[1]: snort.service: Main process exited, code=dumped, status=11/SEGV
Mar 02 09:10:43 SERVER92537 systemd[1]: snort.service: Unit entered failed state.
Mar 02 09:10:43 SERVER92537 systemd[1]: snort.service: Failed with result 'core-dump'.

What could be the reason that the snort service stops running after a few days?
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Snort 2.9.11.1 daemon crashes after running for few days (SEGV and Dynamic Rule not initialized properly) Black Lion via Snort-users (Mar 07)
- Re: Snort 2.9.11.1 daemon crashes after running for few days (SEGV and Dynamic Rule not initialized properly) Joel Esler (jesler) via Snort-users (Mar 07)