This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snort not running after update 9.709-3

Hello Guys,

Since last update to version 9.709-3 I do a regular error send from our SGM 115 stating "Snort not running".
This happens quite often. I searched in our logs and found under IPS something like:

Detection:
2022:04:06-14:09:29 astaro snort[2112]: Search-Method = AC-BNFA-Q
2022:04:06-14:09:29 astaro snort[2112]: Search-Method-Optimizations = enabled
2022:04:06-14:09:29 astaro snort[2112]: FATAL ERROR: /etc/snort//etc/snort/rules/astaro.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/astaro.rules": No such file or directory.
2022:04:06-14:09:35 astaro snort[2134]: Enabling inline operation
2022:04:06-14:09:35 astaro snort[2134]: Running in IDS mode
What is going on? How can I fix it?


This thread was automatically locked due to age.
  • Is IPS disabled or showing any issues in the log file for it besides what you posted? Are you doing any kind of direct database output for snort? 

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • IPS itself is turned off only things in use are anti port scan and DoS / Flooding. No direct database output is configured.
    To be honest I don't even know how I could dump stuff to a database using UTM 9.

  • Hallo and welcome to the UTM Community!

    What result do you get from the following at the command line?

         ll /var/chroot-snort/etc/snort/rules/astaro.rules

    If there's something there, then I think Amodin hit the nail on the head by asking if IPS is disabled.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • It says access denied no such file or directory. Like I said before IPS is indeed turned off and not in use.
    Thought I had already answered last week but forgot to press reply button :(

  • My brain keeps going back to the question then:  "If IPS is disabled, why would this be an issue for you?"

    So what would happen then if you enable IPS? I wouldn't think Snort would update if it's not in use.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Ah okay I do understand. Thanks for open my eyes.I thought there would be any inpact on the running machine

  • I think you might have needed to execute that command as root.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA