Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Updating SNORT Rules results in network disconnect

    Scheduled Pinned Locked Moved
    IDS/IPS
    4
    8
    420
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      ong1234
      last edited by

      PFsense Version: 2.7.2-RELEASE (amd64) built on Thu Dec 7 4:10:00 +08 2023
      Snort Version: 4.1.6_17 (latest as there were no updates available)

      I have been running Pfsense and it is very stable - no (or very little) issues with network disconnect or anything. However it seems that whenever I attempt to update Snort rules, there will be a short network disconnect. Sometime when I apply drop for the Snort rules, there will also be a short network disconnect. Tested with ping test and for a few seconds, it would disconnect.

      I had checked the system logs and it seems like there is this:

      /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - X -> X - Restarting packages.

      The IP address on the system log is the same (X->X), so there was actually no IP change. My WAN IP address is also a static IP address and I have not changed the IP address.

      Rules enabled:
      Snort GPLv2 Community Rules (Talos certified)
      Feodo Tracker Botnet C2 IP Rules
      emerging-compromised.rules
      emerging-current_events.rules

      Anyone faced the same issue before?
      Any help would greatly be appreciated.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @ong1234
        last edited by

        @ong1234 There’s an option in Suricata to live reload rules…pretty sure it’s in Snort too. Otherwise it restarts the process which has that symptom.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • O
          ong1234
          last edited by

          Tried checking Snort global settings but can't find the option.
          Seems that the entire network drops everytime I do an update for the snort rules.

          And I wonder why it detect a change in the WAN IP address.

          Also to add this is a new pfsense setup (new N100 device). The previous setup had this issue as well.

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @ong1234
            last edited by

            @ong1234 On Suricata it's on Global Settings, Live Rule Swap on Update:

            "Enable "Live Swap" reload of rules after downloading an update. Default is Not Checked
            When enabled, Suricata will perform a live load of the new rules following an update instead of a hard restart. If issues are encountered with live load, uncheck this option to perform a hard restart of all Suricata instances following an update."

            We don't have any Snort to look, anymore...a combination of 1) Snort being problematic on 3100s/32 bit ARM, so we standardized on Suricata, and 2) the package maintainer has indicated a few times on this forum that he won't be developing a Snort 3 package, so it will basically die off with Snort 2 EOL.

            re: change in the WAN IP address, I think that is a default message when an interface restarts in pfSense. More like, "I found an IP address and this is it."

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              Snort does not have a "soft rule reload" option because of the way it handles pre-processors. They cannot be reliably "soft loaded/restarted" and could cause a rule reload to fail. Therefore, in Snort, rule updates will restart the Snort process at the end.

              If you are using Inline IPS Mode, the netmap kernel device used with that mode of operation will restart the pfSense interface each time the Snort process restarts. There is no way to avoid that.

              Legacy Blocking Mode formerly did not restart the interface when the Snort process restarted, but about two or three years ago anecdotal evidence reported by users suggests that even that mode can now result in interface restarts when the Snort process closes and then opens a PCAP session link to the interface. Perhaps something changed within libpcap on FreeBSD ???

              So, the TLDR answer is that an interface restart is expected when Snort restarts.

              O 1 Reply Last reply Reply Quote 0
              • JonathanLeeJ
                JonathanLee
                last edited by

                Snort when it updates is very memory needy, you need to set it to update in the night and it enable a swap

                Make sure to upvote

                O 1 Reply Last reply Reply Quote 0
                • O
                  ong1234 @bmeeks
                  last edited by

                  @bmeeks I understand now. Tk u

                  1 Reply Last reply Reply Quote 0
                  • O
                    ong1234 @JonathanLee
                    last edited by

                    @JonathanLee Good idea. Thank you will do it this way.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post