Transparant Bridge, no firewall?

Lite-On

I have some problems with firewalling my Transparant Bridge. (using the firewall -> rules)
I'm using pfSense 1.2RC2

Snort doesn't work. It doesn't filter attacks and other things.
But still there are attacks on the servers, and Snort doens't block anything.
The snort service is running, and has no problems.
I'm using Snort with performance "ac", and it is up-to-date.

Who know an option to solve this problem? :)

morbus

Have you enabled the "Block Offenders" option?

Are you getting alerts in the snort alerts tab?

Are there any IPs in the blocked tab?

if so goto the Diagnostics->command and run "ps aux | grep snort" you should get 2 entries one for snort and one for snort2c (the program that copies offenders IPs to the PF firewall).

Lite-On

@morbus:

Have you enabled the "Block Offenders" option?

Are you getting alerts in the snort alerts tab?

Are there any IPs in the blocked tab?

if so goto the Diagnostics->command and run "ps aux | grep snort" you should get 2 entries one for snort and one for snort2c (the program that copies offenders IPs to the PF firewall).

I have enabled the "Block Offenders".
The snort alerts list is emty, and there are no IP's blocked.

$ ps aux | grep snort
root    805  0.0  0.1  1292  908  ??  Is  28Sep07  0:00.00 snort2c -w /var/
root  24122  0.0  0.1  1532  988  ??  R    10:28PM  0:00.00 grep snort

cmb

Your ps output shows snort isn't running. What is logged to your system log when it tries to start?

Lite-On

I was looking at the services page, and i saw that the snort service was running.

System log, when I restart de snort service:
Nov 3 09:37:14 snort[10451]: Daemon initialized, signaled parent pid: 10437
Nov 3 09:37:14 snort[10451]: Daemon initialized, signaled parent pid: 10437
Nov 3 09:37:14 snort2c[10454]: snort2c running in daemon mode pid: 10454
Nov 3 09:37:14 snort2c[10454]: snort2c running in daemon mode pid: 10454
Nov 3 09:37:31 SnortStartup[10513]: Ram free BEFORE starting Snort: 721M – Ram free AFTER starting Snort: 616M -- Mode ac-sparsebands -- Snort memory usage:

And a new ps output:
$ ps aux | grep snort
root  10451 17.5 51.1 526836 527044  ??  Ds    9:37AM  2:21.81 snort -c /usr/lo
root  10454  0.0  0.1  1292  908  ??  Is    9:37AM  0:00.00 snort2c -w /var/
root  10812  0.0  0.1  1600  1048  ??  S    9:41AM  0:00.00 grep snort

Lite-On

Here's a new ps aux output…..

$ ps aux | grep snort
root  10454  0.0  0.1  1292  908  ??  Is    9:37AM  0:00.00 snort2c -w /var/
root  76987  0.0  0.1  1552  656  ??  R    10:04PM  0:00.00 grep snort

I think it's stopped again?  ???

coolcat1975

hi!

try running snort in lowmem mode. there seems to be troubles with the other modes.

regards

cc