N00b snort "issues"
-
Great….. As long as this issue is just not me :-[ ... From the time I have posted that I reinstalled, until now, I still have yet to see anything blocked. I have also been testing with shields up and nothing.
Have you been able to figure out why it worked before and not now? Could it be the rules? Anyone else out there have some experience with this???
-
So far, no. All I know is that it stopped working when I changed from ac-banded to lowmem. Reinstalling pfsense then configuring to ac-banded did not work. Reinstalling to lowmem did not work. NO clue what happened.
-
Well I got snort working again. Reinstalled pfsense. Configured snort to lowmem, rebooted and it started working. Although now I have a new problem. Now MSN messenger will not work at all from the LAN side. I can have all rulesets unchecked, click save, and I still will not be able to sign into messenger. The only way I can connect to msn messenger is to add the LAN IP of my server into the whitelist. Anyone else experiencing this issue?
-
hmm.. that's strange… You said that it stopped working when you changed from ac-banded to lowmem but then you reinstalled and configured snort with ac-banded/lowmem right off the bat, that still didn't do the trick? What I'm getting at is maybe I did what you did my first couple of attempts (switching from on scheme to another) but then again the second part of your trials seem that it's hit or miss whether it will work or not. That is not really the news I was looking for but gives some insight to the issues I am seeing.
Some other background info: I swapped all hardware from a PIII 550 with 192mb ram to a PIII 800 with 512mb ram. I thought bad hardware or lack of ram/CPU speed maybe the cause or snort not functioning. Removed/resinstalled package, reinstalled pfsense and used new configs (not my backedup copy), stopped and started services numerous times. Also the first couple of attempts I was also using Ntop and Darkstat along side snort, now I decided after the reinstall to only test snort without other packages.
Can anyone else confirm this (or just tell us that we are nuts)? (I'd rather the first part but I'm sure we are going to get some of the second) :'(
Thanks for everyone's help so far!
-
Yep, it appears to be hit or miss for me as well. I am only running snort atm, but I am still having the same issues as you.
-
It looks like I have hit a brick wall with all my trials. Any experienced pf admin out there have anymore suggestions.. I'll try whatever
Thanks
-
Ok.. for anyone that's been following- I figured out the issue (at least for me) I reinstalled again, and enabled shell access. Right after the install I poked around the shell and saw how everything was running. I enabled everything as usual and noticed the snort process hover at about 95% cpu and using almost 500mb of ram (outta 512 total) within seconds of starting. So I stopped that process and changed to lowmem. Nothing. Looked in /var/log/snort and they were empty except for a few unreadable characters via cat. Formatted and started again and enable snort but this time only enabled 2 or 3 rules. This time after the update and shields up scan, it worked.
Conclusion: On a PIII 800 with 512mb ram, choose your rules carefully! I'm not sure if it was one rule that was going crazy but that is where I'm going to start. I'm now curious about changing the detection method to see if it will continue to work or if it's going to crap out again. Either way, I'm glad I was able to work it down.
I hope this helps any others that may experience issues with snort. ;)
-
Ok.. for anyone that's been following- I figured out the issue (at least for me) I reinstalled again, and enabled shell access. Right after the install I poked around the shell and saw how everything was running. I enabled everything as usual and noticed the snort process hover at about 95% cpu and using almost 500mb of ram (outta 512 total) within seconds of starting. So I stopped that process and changed to lowmem. Nothing. Looked in /var/log/snort and they were empty except for a few unreadable characters via cat. Formatted and started again and enable snort but this time only enabled 2 or 3 rules. This time after the update and shields up scan, it worked.
Conclusion: On a PIII 800 with 512mb ram, choose your rules carefully! I'm not sure if it was one rule that was going crazy but that is where I'm going to start. I'm now curious about changing the detection method to see if it will continue to work or if it's going to crap out again. Either way, I'm glad I was able to work it down.
I hope this helps any others that may experience issues with snort. ;)
Mee too I had some problem, enabling all snort categories snort occupies 95% CPU and after near one minute die.
My system is a P4 3GhzNow I tried to only enable the following rules categories
attack-responses.rules
backdoor.rules
bad-traffic.rules
chat.rules
ddos.rules
deleted.rules
dns.rules
dos.rulessnort start and don't die. Have you found the rules that hang?
Any conseil about rules to enable will be appreciated.
Davide
-
If nothing helps, enable upper half of rules, test. if nothing dies try lower half of rules and test. If it dies then continue the same way for the half that it died on. Check half of these rules, test. Go on like this until you found the rule that causes issues and let us know ;)
-
If nothing helps, enable upper half of rules, test. if nothing dies try lower half of rules and test. If it dies then continue the same way for the half that it died on. Check half of these rules, test. Go on like this until you found the rule that causes issues and let us know ;)
I done several check.
The problem (CPU 95%, snort hang) seem to arise when enabling new categories.
Initially with rel. 1.01 I get into CPU 95% problem when enabling snort categories beginning with "s" (until rservices.rules no problems).There is also another strange behaviour: WebGui snort setting "Performance" has been set to "ac-sparsebands", the system logs display "lowmem":
SnortStartup[751]: Ram free BEFORE starting Snort: 11M – Ram free AFTER starting Snort: 17M -- Mode lowmem -- Snort memory usage:If I change to "lowmem" and restart snort, system logs display "ac-sparseband":
SnortStartup[6593]: Ram free BEFORE starting Snort: 111M – Ram free AFTER starting Snort: 111M -- Mode ac-sparsebands -- Snort memory usage:Now I updated to 1.0.1-SNAPSHOT-02-27-2007 now CPU don't get to 95% (all categories enabled) but snort don't start when touching (enable/disable) categories.
To let snort start I had to change Performance settings (from ac-sparsebands to lowmem) so that snort start.I'm very confused about snort behaviour. ???
-
I am going to review the code shortly, since I have seen this issue as well. For some reason, in order for snort performance settings to take effect, you have to click save twice under Snort settings.