Pulledpork3 systemd service stops snort3 service #53
Description
I am using pulledpork3 and snort3 installed per instruction from https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/012/147/original/Snort_3.1.8.0_on_Ubuntu_18_and_20.pdf.
OS: Ubuntu 20.04 LTS
Pulledpork version: v3.0.0.4
Snort version: 3.1.18.0
Systemd unit files:
pulledpork3.service:
[Unit]
Description=Runs PulledPork3 to update Snort 3 Rulesets
Wants=pulledpork3.timer
[Service]
Type=oneshot
ExecStart=/usr/local/bin/pulledpork3/pulledpork.py -c /usr/local/etc/pulledpork3/pulledpork.conf
[Install]
WantedBy=multi-user.target
snort3.service:
[Service]
Type=simple
ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 \
-k none -l /var/log/snort -D -u snort -g snort -i mon0 -m 0x1b --create-pidfile \
--plugin-path=/usr/local/lib/snort/plugins/extra --plugin-path=/usr/local/etc/so_rules
[Install]
WantedBy=multi-user.target
Always when running pulledpork3 service manually or via systemctl start pulledpork3 command it will not reload snort3 but totally stop snort3 service.
pulledpork3 journal logs:
Nov 30 16:02:52 example pulledpork.py[1223531]: Writing rules to: /usr/local/etc/rules/pulledpork.rules
Nov 30 16:02:52 example pulledpork.py[1223531]: Writing blocklist file to: /usr/local/etc/lists/default.blocklist
Nov 30 16:02:52 example pulledpork.py[1223531]: Sending Snort process the reload signal (PID 1222580).
Nov 30 16:02:52 example pulledpork.py[1223531]: WARNING: Error sending SIGHUP to Snort3 process: [Errno 3] No such process
Nov 30 16:02:53 example systemd[1]: pulledpork3.service: Main process exited, code=exited, status=255/EXCEPTION
Nov 30 16:02:53 example systemd[1]: pulledpork3.service: Failed with result 'exit-code'.
Nov 30 16:02:53 example systemd[1]: Failed to start Runs PulledPork3 to update Snort 3 Rulesets.
Nov 30 16:02:53 piggy-sniff systemd[1]: Failed to start Runs PulledPork3 to update Snort 3 Rulesets.
snort3 journal logs:
Nov 30 16:04:42 piggy-sniff snort[1223652]: Snort (PID 1223652) caught fatal signal: SIGSEGV (11)
Nov 30 16:04:42 piggy-sniff snort[1223652]: Version: 3.1.18.0
Nov 30 16:04:42 piggy-sniff snort[1223652]: Backtrace:
Nov 30 16:04:42 piggy-sniff snort[1223652]: #0 0x7f6c6a085400 in _ZL4evalPvR6CursorPN5snort6PacketE+0xa0
Nov 30 16:04:42 piggy-sniff systemd[1]: snort3.service: Main process exited, code=killed, status=11/SEGV
Nov 30 16:04:42 piggy-sniff systemd[1]: snort3.service: Failed with result 'signal'.
Nov 30 16:04:42 piggy-sniff systemd[1]: snort3.service: Consumed 18.906s CPU time.
pulledpork3.conf:
# Which Snort/Talos rulesets do you want to download (recomended: choose only one)
community_ruleset = false
registered_ruleset = true
LightSPD_ruleset = false
# Your Snort oinkcode is required for snort/talos Subscription, Light_SPD, and Registered rulesets
oinkcode = xyz
# which blocklists to download
snort_blocklist = true
et_blocklist = true
# additional blocklists to download from a URL, comma-separated
#blocklist_urls = http://a.b.com/list.list
# Where to write the blocklist file (single file containing all blocklists downloaded)
blocklist_path = /usr/local/etc/lists/default.blocklist
# PulledPork needs to know which version of Snort you are running in most instances.
# you can do this by giving an explict snort_version or by providing the path (snort_path)
# to the snort binary. If you don't do either of these, PulledPork will try to determine
# the version of snort by searching for the the binary on your system path.
# This is used to know which registere ruleset to download, the correct files from the LightSPD
# ruleset, and will be used to compile .so rules if you don't provide the distro.
# Where is the Snort Executable located (if not on the system path)
snort_path = /usr/local/bin/snort
# Which version of snort are you running (optional, not usually needed.). This version will over-rule snort_path
#snort_version = 3.1.0.0
# Where is the PID file for your running snort process/daemon (required to tell snort to reload the
# new rules after rules are modified) This is optional, but recomended.
# the pid file is written by snort in Daemon mode or if you run snort with the --create-pidfile flag.
# the pid file is named snort.pid and is saved in the logging directory (-l flag)
# (no windows support at this time for this feature)
pid_path=/var/log/snort/snort.pid
# Enable / Disable rules based on the level of functionality/security you want.
# must be one of: connectivity, balanced, security, max-detect, none
# default is connectivity. Will not work with community ruleset.
# https://www.snort.org/faq/why-are-rules-commented-out-by-default
ips_policy = balanced
# Rule Output mode:
# simple (just a single .rules file, with any rule that's not commented out enabled)
# policy (rules file with all rules enabled, using a policy file to enable/disable rules)
rule_mode = simple
# policy path is reqiured if you are using rule_mode = policy
#policy_path = c:\snort\rules\pulledpork.states
# where to save our single combined rule file (This is required, and needs to be an absolute path):
rule_path = /usr/local/etc/rules/pulledpork.rules
# Local Rules files
# Specify local rules files, comma-separated
local_rules = /usr/local/etc/rules/local.rules
# Rules files to ignore
# includes.rules and snort3-deleted.rules are recommended to always be ignored
# NOTE: the old "ignore" setting name (from Perl PulledPork) is also accepted here
# if both are used, the values are combined and de-duped
ignored_files = includes.rules, snort3-deleted.rules
# do you want rules that are disabled to be included when writing rules to rule_path?
# defaults to false. This is ignored if rule_mode = policy, since the policy determines which
# rules are written
include_disabled_rules = false
# where should so rules be saved
# so rules will only be processed if this is uncommented
sorule_path = /usr/local/etc/so_rules/
# What Distro are you running? This must match one of the supported distros:
# centos-x64, debian-x64, fc-x64, opensuse-x64, ubuntu-x64
# disable this entry to compile rules manually (not yet supported)
distro = ubuntu-x64
# do you want all the different policys files written to a local directory (for advanced users)
#policies_path = /usr/local/etc/rules/
# WARNING: RULE MODIFICATION WITH THESE FILES IS PARTIALLY IMPMEMENTED
# The code for this functionality is experimental, and does not handle GID:SID Ranges
# or CATEGORIES yet (VRT- or ET- or Custom-)
# you can use PulledPork2 compatable files / formatting for these files
#
# Here you can specify what rule modification files to run automatically.
# simply uncomment and specify the apt path.
# enablesid=/usr/local/etc/snort/enablesid.conf
# dropsid=/usr/local/etc/snort/dropsid.conf
# disablesid=/usr/local/etc/snort/disablesid.conf
# WARNING: RULE MODIFICATION with modifysid IS NOT IMPLEMENTED YET
# modifysid=/usr/local/etc/snort/modifysid.conf
# WARNING: RULE MODIFICATION IS NOT IMPLEMENTED YET
# The following option, state_order, allows you to more finely control the order
# that pulledpork performs the modify operations, specifically the enablesid
# disablesid and dropsid functions. An example use case here would be to
# disable an entire category and later enable only a rule or two out of it.
# the valid values are disable, drop, and enable.
# state_order=disable,drop,enable
# PulledPork will use the system default temporary working directory, unless you specify a different one below.
# (this is not common). PulledPork will create a working folder named PulledPork-YYYY.MM.DD-HH.MM.SS in the
# temp location. This is useful during troubleshooting PulledPork3 with the -k (keep temp directory) flag
#temp_path = /tmp
# Pulledpork3 configuration version variable: may be used in future
CONFIGURATION_NUMBER = 3.0.0.3