This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snort not running after update 9.709-3

Hello Guys,

Since last update to version 9.709-3 I do a regular error send from our SGM 115 stating "Snort not running".
This happens quite often. I searched in our logs and found under IPS something like:

Detection:

2022:04:06-14:09:29 astaro snort[2112]: Search-Method = AC-BNFA-Q

2022:04:06-14:09:29 astaro snort[2112]: Search-Method-Optimizations = enabled

2022:04:06-14:09:29 astaro snort[2112]: FATAL ERROR: /etc/snort//etc/snort/rules/astaro.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/astaro.rules": No such file or directory.

2022:04:06-14:09:35 astaro snort[2134]: Enabling inline operation

2022:04:06-14:09:35 astaro snort[2134]: Running in IDS mode

What is going on? How can I fix it?

This thread was automatically locked due to age.

Top Replies

Amodin over 2 years ago in reply to PEASANT_KING +1

My brain keeps going back to the question then: "If IPS is disabled, why would this be an issue for you?" So what would happen then if you enable IPS? I wouldn't think Snort would update if it's not…

Parents

0 Amodin over 2 years ago

Is IPS disabled or showing any issues in the log file for it besides what you posted? Are you doing any kind of direct database output for snort?

OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
(Former Sophos UTM Veteran, Former XG Rookie)
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Amodin over 2 years ago

Is IPS disabled or showing any issues in the log file for it besides what you posted? Are you doing any kind of direct database output for snort?

OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
(Former Sophos UTM Veteran, Former XG Rookie)
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 PEASANT_KING over 2 years ago in reply to Amodin

IPS itself is turned off only things in use are anti port scan and DoS / Flooding. No direct database output is configured.
To be honest I don't even know how I could dump stuff to a database using UTM 9.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 2 years ago in reply to PEASANT_KING

Hallo and welcome to the UTM Community!

What result do you get from the following at the command line?

ll /var/chroot-snort/etc/snort/rules/astaro.rules

If there's something there, then I think Amodin hit the nail on the head by asking if IPS is disabled.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 PEASANT_KING over 2 years ago in reply to BAlfson

It says access denied no such file or directory. Like I said before IPS is indeed turned off and not in use.
Thought I had already answered last week but forgot to press reply button :(
Cancel
Vote Up 0 Vote Down

Cancel
0 Amodin over 2 years ago in reply to PEASANT_KING

My brain keeps going back to the question then: "If IPS is disabled, why would this be an issue for you?"

So what would happen then if you enable IPS? I wouldn't think Snort would update if it's not in use.

OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
(Former Sophos UTM Veteran, Former XG Rookie)
Cancel
Vote Up +1 Vote Down

Cancel
0 PEASANT_KING over 2 years ago in reply to Amodin

Ah okay I do understand. Thanks for open my eyes.I thought there would be any inpact on the running machine
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 2 years ago in reply to PEASANT_KING

I think you might have needed to execute that command as root.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel