Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 2 replies
  • Subscribers 0 subscribers
  • Views 590 views
  • Users 0 members are here
Options
Suggested

[8.920][ANSWERED] SNORT: FATAL ERROR: SetupDNP3()

wingman
Hi All

This was initially posted by Ian (https://community.sophos.com/products/unified-threat-management/astaroorg/f/75/t/64052)

It seems that every time you select a new attack pattern, snort restarts and therefore existing internet traffic is being dropped. 

I've added two new attack patterns and got the same fatal error twice (snort[18608]: FATAL ERROR: SetupDNP3(): The Stream preprocessor must be enabled.)

However, I only got 1 email notification for snort process restarting. Is that the expected behaviour?

Thanks
  • 0
    Snort has only been restarted once, so you'll only get one notification. Yes, that's the intended behavior.

    Cheers,
    Kai
  • 0
    Hi Kai

    For the past few days I am getting snort restarts without touching snort( adding patterns). This morning I've noticed that ipv6 was down/down 

    2012:04:07-09:30:58 ********* tspc[26453]: gogoCLIENT v1.2-RELEASE build Mar 22 2012-12:44:43  

    2012:04:07-09:30:58 ********* tspc[26453]: Built on ///Linux axgbuild 2.6.32.54-0.3-default #1 SMP 2012-01-27 17:38:56 +0100 i686 i686 i386 GNU/Linux///

    2012:04:07-09:30:59 ********* tspc[26453]: Received a TSP redirection message from server authenticated.freenet6.net (1200 Redirection ).

    2012:04:07-09:30:59 ********* tspc[26453]: The server redirection list is [ sydney.freenet6.net, amsterdam.freenet6.net, montreal.freenet6.net ].

    2012:04:07-09:31:29 ********* tspc[26453]: The optimized server redirection list is [ montreal.freenet6.net, sydney.freenet6.net, amsterdam.freenet6.net ].

    2012:04:07-09:31:29 ********* tspc[26453]: The server is too busy to process your TSP request.

    2012:04:07-09:31:29 ********* tspc[26453]: Failed to retrieve TSP capabilities.


    so I've tried to disable it and re enable it. Immediately, I lost access to the network and cpu went 90%. It seems that snort just restarted itself

    Nothing useful in the snort log 
    2012:04:07-00:32:53 ********* snort[13537]: Decoding Raw IP4

    2012:04:07-09:31:48 ********* snort[13537]: 

    2012:04:07-09:31:48 ********* snort[13537]:         --== Reloading Snort ==--

    2012:04:07-09:31:48 ********* snort[13537]: 


    2012:04:07-09:31:25 ********* selfmonng[3563]: T read config file '/etc/selfmonng.conf'

    2012:04:07-09:32:09 ********* selfmonng[3563]: I check Failed increment snort_inline_running counter 1 - 3

    2012:04:07-09:32:29 ********* selfmonng[3563]: I check Failed increment snort_inline_running counter 2 - 3

    2012:04:07-09:33:34 ********* selfmonng[3563]: I check Failed increment ctasd_connect counter 1 - 2

    2012:04:07-09:33:34 ********* selfmonng[3563]: W check Failed increment snort_inline_running counter 3 - 3

    2012:04:07-09:33:34 ********* selfmonng[3563]: Snort not running - restarted

    2012:04:07-09:33:34 ********* selfmonng[3563]: W NOTIFYEVENT Name=snort_inline_running Level=INFO Id=115 sent

    2012:04:07-09:33:34 ********* selfmonng[3563]: W triggerAction: 'cmd'

    2012:04:07-09:33:34 ********* selfmonng[3563]: W actionCmd(+):  '/var/mdw/scripts/snort restart'



    Let me know if you want me to open a new thread to track this

    Thanks
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?