Snort nginx upstream timeout error
-
For the last couple versions of pfSense I have been having a hard time starting snort. I'm just getting around to deep diving into it and fix the problem.
System: Watchguard 1250e x-core
Storage Type: NanoBSD/CF card (I know i need to change that moving forward soon)
pfSense Version: 2.3-ReleaseWhen I start snort on WAN adapter it takes about 2-3 minutes, then I receive a 504 gateway timeout and here is what's in the System Log.
Jul 5 21:15:45 pfsense.domain.local nginx: 2016/07/05 21:15:45 [error] 45943#0: *1792 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.2.23, server: , request: "POST /snort/snort_interfaces.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.2.1", referrer: "http://192.168.2.1/snort/snort_interfaces.php"
Jul 5 21:12:48 php-fpm 74575 /snort/snort_interfaces.php: [Snort] Snort START for WAN(sk0)…
Jul 5 21:12:48 php-fpm 74575 /snort/snort_interfaces.php: Starting Snort on WAN(sk0) per user request...
Jul 5 21:12:47 php-fpm 74575 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN…
Jul 5 21:12:47 php-fpm 74575 /snort/snort_interfaces.php: [Snort] WARNING: Flowbit resolution not done - no rules in /usr/local/etc/snort/rules/ …
Jul 5 21:12:47 php-fpm 74575 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
Jul 5 21:12:46 php-fpm 74575 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
Jul 5 21:12:13 snort 78685 FATAL ERROR: /usr/local/etc/snort/snort_35781_sk0//usr/local/etc/snort/snort_35781_sk0/rules/snort.rules(0) Unable to open rules file "/usr/local/etc/snort/snort_35781_sk0//usr/local/etc/snort/snort_35781_sk0/rules/snort.rules": No such file or directory.
Jul 5 21:12:13 SnortStartup 78352 Snort START for WAN(35781_sk0)...I have done some vague research and it seems like it might be pointing to a php-pfm directive maybe? or fastcgi parameters, but I really don't know a lot about that. Anyone seen this error or have any ideas what to try? If you need any more information or screenshots of settings let me know.
Thank you.
-
Storage Type: NanoBSD/CF card (I know i need to change that moving forward soon)
It says it all above :)
Nano predominantly causes issues due to lack of storage space in /var/ and /tmp… Try to increase the size of those partitions form the Advanced Menu options...
-
Thank you for the reply BBcan177, I honestly feel honored. I've seen you contribute so much to bug fixes and packages. Nice work by the way. I will look at increasing those values.
I run a 4GB card with 4GB snapshot, do you have any recommendations on values, or the best way to determine what I should set them to? Does it depend on packages or anything else I have installed?
-
Thanks!
Check out the following thread from the Snort/Suricata Dev..
https://forum.pfsense.org/index.php?topic=113623.msg631758#msg631758 -
I have increased the /tmp to 120MB and /var to 180MB and rebooted, but still get the 504 gateway timeout error. Nginx error in the system log looks similar.
nginx: 2016/07/05 22:35:52 [error] 43208#0: *1 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.2.23, server: , request: "POST /snort/snort_interfaces.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.2.1", referrer: "http://192.168.2.1/snort/snort_interfaces.php"
-
Chamaeleon!
I am facing same issue of "504 gateway time out" during snort reloading of plugin. Have you resolve the problem?
Love me or hate , but do not judge me. :)
-
Sadly, I've not been able to resolve this yet.
-
I am having this issue as well. It appeared more or less out of nowhere…