Snort Exiting
-
Hi Guys,
I have recently upgraded my pfsense to 2.7.0 , my snort package is 4.1.6_13
I have two inline interfaces, everynight looks like after the rules update (finish successfully), snort gets restarting forever.
I have no errors or signal exists, just says snort exiting.
Any clue what cloud this be.
just keeps exiting and starting .. forever i don't konw what triggers it
-
I've relaised i am not using PFsense+ so i am updating now to the a stable Pfsense+ and will see how things go.
-
@compuomari You donβt need Plus to run Snort but 2.7.0 is two versions behind so if you installed the Snort package from 2.7.2 branch that could cause problems.
https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#troubleshooting
-
Still getting this error , any idea what is causing this?
-
@compuomari said in Snort Exiting:
Still getting this error , any idea what is causing this?
This error indicates something in your NIC hardware driver is incompatible with the FreeBSD netmap kernel device used to implement Inline IPS Mode.
Try switching to Legacy Mode Blocking and see if Snort starts successfully. If it does, that will prove that something in your hardware is now incompatible with the netmap kernel device driver. That could be due to whatever specific firmware update exists on your NIC interacting poorly with the latest kernel code in FreeBSD. If Snort works in Legacy Mode but not Inline IPS Mode, then your only solution if you wish to use Inline IPS Mode is going to be replacing your NIC with something else.
-
@bmeeks what is interesting is that SNORT is only dying on one interface, the other interface is running inline with no issues.
I've reverted the other interface to legacy mode to see what happens.Now i have 2 interfaces, one inline and one legacy. I will update this thread
-
@compuomari said in Snort Exiting:
@bmeeks what is interesting is that SNORT is only dying on one interface, the other interface is running inline with no issues.
I've reverted the other interface to legacy mode to see what happens.Now i have 2 interfaces, one inline and one legacy. I will update this thread
Are you trying to run VLANs on the same interface? That could lead to the issue you are seeing. VLANs and Inline IPS Mode are not at all friendly with each other .
Also, are the two interfaces exactly the same make and model of NIC hardware (assuming you mean two physically separate interfaces and not multiple VLANs on the same physical parent)?
-
@bmeeks the NICs are identical and i am not running VLANs. The NICs are Intel 82574L Gigabit Network Connection
I have read somewhere that netmap could have issue with multithreading if the snort instance was given a high number of threads.
I've also disabled ntop-ng and zeek, they could be hammering the netmap resource
-
@compuomari said in Snort Exiting:
I have read somewhere that netmap could have issue with multithreading if the snort instance was given a high number of threads.
Snort 2.9.x as used on pfSense is single-threaded. It is not capable of multithread operation. Suricata is a multi-thread application.
-
@bmeeks Thanks for this... I will see if Snort works after having one interface inline and the other legacy.
Otherwise i may switch to Suricata..