Snort package problems
-
Newly noticed problem: Blocked sites are not being removed as per setting "Remove blocked hosts every".
I have this set for 3 hours, but I have sites which have been blocked for more than 72 hours without being removed.
Only one instance of Snort is running and all other functions of Snort seem to be running properly, except the manual shutdown bug which has been reported frequently by others.
goto your Global page. Change the time, to an hour; save. Then change it back to 3 hours; save. This should create the cron job that is needed. If you have the cron package install, you should see a job with '/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c' in it. 3600 will probably be different, maybe something like 108000
-
Newly noticed problem: Blocked sites are not being removed as per setting "Remove blocked hosts every".
I have this set for 3 hours, but I have sites which have been blocked for more than 72 hours without being removed.
Only one instance of Snort is running and all other functions of Snort seem to be running properly, except the manual shutdown bug which has been reported frequently by others.
goto your Global page. Change the time, to an hour; save. Then change it back to 3 hours; save. This should create the cron job that is needed. If you have the cron package install, you should see a job with '/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c' in it. 3600 will probably be different, maybe something like 108000
Thanks. Made and saved the change and the cron job is there as you describe.
-
Anyone else getting massive SWAP file usage after the recent Snort package update?
EDIT:
Just restarted Snort after a rule update and it seems to have toned down. I guess I'll keep an eye on that. -
Now that some time has passed, I checked it again.
Before the recent update of Snort, it used most of my 2GB of RAM in the unit, but no SWAP. Now it's using most of the 2GB of RAM and 45% of the SWAP.
What changed?
-
Now that some time has passed, I checked it again.
Before the recent update of Snort, it used most of my 2GB of RAM in the unit, but no SWAP. Now it's using most of the 2GB of RAM and 45% of the SWAP.
What changed?
I am having the same issue with overall memory and cpu usage. I am using 2.0.1-RELEASE (amd64) with Snort 2.9.2.3 pkg v. 2.2.1.
My memory usage usually hovers around 10%, I just had to reboot as it was using 54% of my memory after 5 days. I noticed a slow down, even with 8 GB's of RAM.
Is there a memory leak somewhere?
-th3r3isnospoon
-
That's probably because snort processes keep accumulating as the command to stop snort service is broken on the latest stable package. You may want to disable automatic updates and setting a large log file size until this is fixed to avoid automatic restarts.
-
That's probably because snort processes keep accumulating as the command to stop snort service is broken on the latest stable package. You may want to disable automatic updates and setting a large log file size until this is fixed to avoid automatic restarts.
That makes some sense, thank you!
Just for those that don't want to reboot their pfsense box in order to reclaim the memory space:
-SSH to your firewall
-Open up the shell
-Type 'top'
-Find the PID of the Snort processes you want to kill
-Press 'k' and type the PID
-Repeat the previous step for each PID.For me it took quite some time for snort to fully unload. However, I was able to watch the memory usage steadily decline until it finally closed out.
-
That's probably because snort processes keep accumulating as the command to stop snort service is broken on the latest stable package. You may want to disable automatic updates and setting a large log file size until this is fixed to avoid automatic restarts.
That makes some sense, thank you!
Just for those that don't want to reboot their pfsense box in order to reclaim the memory space:
-SSH to your firewall
-Open up the shell
-Type 'top'
-Find the PID of the Snort processes you want to kill
-Press 'k' and type the PID
-Repeat the previous step for each PID.For me it took quite some time for snort to fully unload. However, I was able to watch the memory usage steadily decline until it finally closed out.
this works for me 'ps -aux | grep snort' this will show all the your processes with snort in it, including barnyard2. Then its kill PID #..
A really quick way, 'killall snort' :-)
-
I'm using
pgrep snortto check how many snort processes are open, and
pkill snortto kill them in case there's more than one. All from the "Diagnostics: Execute command" page and it works too.
That's probably because snort processes keep accumulating as the command to stop snort service is broken on the latest stable package. You may want to disable automatic updates and setting a large log file size until this is fixed to avoid automatic restarts.
That makes some sense, thank you!
Just for those that don't want to reboot their pfsense box in order to reclaim the memory space:
-SSH to your firewall
-Open up the shell
-Type 'top'
-Find the PID of the Snort processes you want to kill
-Press 'k' and type the PID
-Repeat the previous step for each PID.For me it took quite some time for snort to fully unload. However, I was able to watch the memory usage steadily decline until it finally closed out.
this works for me 'ps -aux | grep snort' this will show all the your processes with snort in it, including barnyard2. Then its kill PID #..
A really quick way, 'killall snort' :-)
-
Oh, cool! I wasn't aware pkill would work with the process name instead, that's much easier! :)
-
Thanks for the explanation. I too have encountered this issue. The GREP and PKILL commands seem to work in the short term. Is there a more automated method to accomplish this task?
Makes me wish I had never updated snort in the first place. Snort has become a mess over the past 30 days. Is there any resolution to this multiple snort instance issue in sight?