Appartently there was a problem with Snort package update. Since yesterday around 18:00 I had connectivity problems from local networks behind 2 different UTMs. The logs show the following:
up2date.log
2021:11:23-18:05:13 FW01 auisys[21582]: Install u2d packages <ipsbundle2> 2021:11:23-18:05:13 FW01 auisys[21582]: Starting installing up2date packages for type 'ipsbundle2' 2021:11:23-18:05:13 FW01 auisys[21582]: Installing up2date package: /var/up2date/ipsbundle2/u2d-ipsbundle2-9.520.tgz.gpg
Shortly after that, all hosts in the local networks behind the two UTMs could not access the Internet anymore. In both cases this error was logged every 30 seconds or so, causing the IPS log to grow into sizes of 150MB and more:
ips.log
2021:11:23-18:05:32 FW01 snort[21749]: FATAL ERROR: The dynamic detection library "/usr/lib/snort/so_rules//server-apache.so" version 1.0 compiled with dynamic engine library version 3.0 isn't compatible with the current dynamic engine library "/usr/lib/snort_dynamicengine/libsf_engine.so" version 3.1.
Same log entries on a different firewall at 18:02.
Currently I disabled IPS on both affected systems as a workaround. However I do not know, if the IPS package will be updated automatically to a working version, when the feature is disabled.
Did anyone else encountered this problem?
Hi.
Could you tell us which version you are running.
One customer had been still running 9.702 and got the same problem. After investigating it looks like the older firmware is not compatible with the IPS pattern update and broke it.
The only way to fix this was to disable IPS to an upgrade and reenable this.
Hi,
both UTMs are running on version 9.707-5 - the current one. I haven't tried the official workaround posted above yet.
I just wanted to share what we have seen yesterday.
Thanks for the info. Unfortunatly I cannot read that article provided by emmosophos .
Wow, the article is actually gone now... The workarounds were to either disable an re-enable IPS or manually remove an (older?) IPS component via SSH.
Hello,
I just check, and the article is still available, please double-check one more time.
In any case here is the output of the KB, but the issue has been resolved already. Not sure if there might have been an issue when the KB was updated that made it unavailable temporarily.
Sophos UTM shows the following errors in ips.log:2021:11:23-17:43:37 asgolen snort[18896]: FATAL ERROR: The dynamic detection library "/usr/lib/snort/so_rules//server-apache.so" version 1.0 compiled with dynamic engine library version 3.0 isn't compatible with the current dynamic engine library "/usr/lib/snort_dynamicengine/libsf_engine.so" version 3.1.
2021:11:23-17:43:37 asgolen snort[18896]: FATAL ERROR: The dynamic detection library "/usr/lib/snort/so_rules//server-apache.so" version 1.0 compiled with dynamic engine library version 3.0 isn't compatible with the current dynamic engine library "/usr/lib/snort_dynamicengine/libsf_engine.so" version 3.1.
Sophos' Development Team has released a pattern to fix this issue.Workaround
rm /var/chroot-snort/usr/lib/snort/so_rules/server-apache.so
Regards,
Link is working now. Thanks