Snort immediately dies
-
Hi,
I've just installed snort 2.8.4.1_5 pkg v.1.7 on my pfSense 1.2.3 box, followed everything on the documentation and started the service however snort only runs for less than 5 minutes then dies, I've even restarted the machine and still have the same result.
The only significant error displayed on the pfSense console is this:
swap_pager: out of swap space
swap_pager_getswapspace(16): failedI found the error odd because when I looked at the system page, the disk is not full and swap space is only consuming 14%.
BTW this is a 512MB RAM with AMD CPU box.
TIA.
-
Move to snort-dev because the package will be released latter today or tomorrow.
James
I've done what you've suggested although it worked for a while, I'm back to where I'm started. According to the system logs snort was killed because allegedly the box has no more swap space available but in fact there's plenty to spare (1024MB of it!), I find this really odd!
Mar 26 17:55:26 kernel: pid 1408 (ntop), uid 0, was killed: out of swap space
Mar 26 17:55:26 kernel: pid 1408 (ntop), uid 0, was killed: out of swap space
Mar 26 17:55:26 kernel: pid 1466 (snort), uid 1004, was killed: out of swap space
Mar 26 17:55:26 kernel: swap_pager_getswapspace(16): failed
Mar 26 17:55:25 kernel: swap_pager: out of swap space -
I'm noticing problems with 1.2.2 and 1.2.3 with snort loading dns.rules; it says there is an error and shuts down the service. Without it on I'm slowly adding rule sets and it seems to be working fine. We'll see though.
-
Turn on the pre-processors. That is what was killing my netbios rules from starting.
-
Turn on the pre-processors. That is what was killing my netbios rules from starting.
tester_02 we are not using the rc or beta versions. This is the older one
2.8.4.1_5 pkg v.1.7
I'm also finding it's not just dns.rules, having issues with smtp.rules and sql.rules too; does anyone else run darkstat with snort? Also, I don't have any of the .so rules selected or the following -chat, icmp, experimental, local, and netbios
I'm going to try reloading without Dark stat installed and see how it does. -
@madapaka are you on nano bsd ?
Can you give me the size of theses dir.
/usr/local/etc/snort
/var/log/snort
James
Hi James,
I'm not on nanobsd, this is a regular PC with 40GB HDD
madapaka
-
James, I did a clean load on my 1ghz with 512mb ram running 1.2.2, and as soon as I have dns.rules enabled in the list snort shuts down. If I move to the next rule it's fine, but still those same rules are giving problems.
Install snort on a clean system without any packages and start snort.
Then install another package you are using and start snort.
Do that until you see the error again.
oh make sure you do
rm /var/log/snort/*
James
-
The reason I switched from 1.7 to the snort dev was because I was having issues like youself. It seems like snort released new rules that the old snort release does not handle. My setup was running great until I did an update and then it failed to start. I narrowed down the list of rules via the pfsense logs, and started removing rules until it started back up. The only way to get those rules running seems to be to to switch to the new package, and all the rules work.
I hate to suggest dev/beta builds also, but to me its dev vs less rules.
Besides, the new release that Jamesdean has released is working perfectly for me. -
Is it caused by two versions pf perl? ntop uses 5.8 while snort uses 5.10
-
I did a reinstall with 1.2.3 and then installed the newest snort package and it worked well, but now I'm dealing with an uninstall problem with snort. Just don't restart after installed snort. ;)
-
@madapaka:
Hi,
I've just installed snort 2.8.4.1_5 pkg v.1.7 on my pfSense 1.2.3 box, followed everything on the documentation and started the service however snort only runs for less than 5 minutes then dies, I've even restarted the machine and still have the same result.
The only significant error displayed on the pfSense console is this:
swap_pager: out of swap space
swap_pager_getswapspace(16): failedI found the error odd because when I looked at the system page, the disk is not full and swap space is only consuming 14%.
BTW this is a 512MB RAM with AMD CPU box.
TIA.
Remove your old logs.
rm /var/log/snort/*
-
I did a reinstall with 1.2.3 and then installed the newest snort package and it worked well, but now I'm dealing with an uninstall problem with snort. Just don't restart after installed snort. ;)
Tracked the problem to the old-snort.
Seems old-snort is not uninstalling completely and is conflicting with the new install.
Do a fresh install, sorry I didn't see this coming.
James
-
Thanks JamesDean! You rock! We can only get better, because nothings perfect.