Snort does not run in WAN interface in pfSense 2.1
-
Tried with step 4-8, didn't work!
Then tried step 2-3, yet didn't work!
Sending the config.xml to your email as per your PM!
Thanks again!
Received your file and will take a look. This one has me puzzled for sure! Cleaning out the file should have fixed it.
Bill
-
Tried with step 4-8, didn't work!
Then tried step 2-3, yet didn't work!
Sending the config.xml to your email as per your PM!
Thanks again!
Received your file and will take a look. This one has me puzzled for sure! Cleaning out the file should have fixed it.
Bill
Nope even cleaning out the file didn't help! Anyway thanks! It could be something messy with either 2.1, don't know.
UPDATE: The culprit seems to be the 'IPS Policy' option which should not be. After I disabled IPS Policy and manually selected the ET and Snort rules, snort on WAN worked fine.
-
Nope even cleaning out the file didn't help! Anyway thanks! It could be something messy with either 2.1, don't know.
UPDATE: The culprit seems to be the 'IPS Policy' option which should not be. After I disabled IPS Policy and manually selected the ET and Snort rules, snort on WAN worked fine.
Thanks for the clue. Which policy were you selecting (Connectivity, Balanced or Security), and how much physical RAM is in your firewall? Snort can chew through RAM, especially with lots of enabled rules. I believe Supermule had an issue with running out of swap space with a large rule set on a firewall with either 1 GB or 2 GB of RAM in a virtual machine on VMware. He bumped up the RAM and the problem fixed itself. When the OS starts swapping to disk and even runs out of virtual RAM there, things go weird pretty quickly after that.
Bill
-
I had to upgrade the VM's to 4GB for it not to swap and run out of memory. It can easily be an issue there.
-
Nope even cleaning out the file didn't help! Anyway thanks! It could be something messy with either 2.1, don't know.
UPDATE: The culprit seems to be the 'IPS Policy' option which should not be. After I disabled IPS Policy and manually selected the ET and Snort rules, snort on WAN worked fine.
Thanks for the clue. Which policy were you selecting (Connectivity, Balanced or Security), and how much physical RAM is in your firewall? Snort can chew through RAM, especially with lots of enabled rules. I believe Supermule had an issue with running out of swap space with a large rule set on a firewall with either 1 GB or 2 GB of RAM in a virtual machine on VMware. He bumped up the RAM and the problem fixed itself. When the OS starts swapping to disk and even runs out of virtual RAM there, things go weird pretty quickly after that.
Bill
Whatever policy I slecect among Connectivity, Balanced or Security, it does not work. The machine has 1.5GB of physical RAM. However, I cannot confirm whether it is a RAM issue or pfSense issue.
-
2GB was not enough for me. Try disabling a lot of rules and use the policy again.
-
2GB was not enough for me. Try disabling a lot of rules and use the policy again.
Thanks for the tip. There is no way to upgrade the RAM at the moment because the machine (Compaq Deskpro SFF dc7100sff with dual core P4 machine with 3.2Ghz processors) uses old PC3200 SDRAM which is pretty expensive compared to new DDR3 RAM. Worth upgrading the machine instead. ;-)
Let me know if anyone knows of cheap vendors who has at least 4GB of PC3200 SDRAM so that I can upgrade. ;-)
Actually I need 8 of these: http://www.newegg.com/Product/Product.aspx?Item=N82E16820141317 but it is out of stock. :-(
-
http://www.amazon.com/s/ref=nb_sb_noss_1/190-7687956-8103958?url=search-alias%3Daps&field-keywords=pc3200&sprefix=pc3200%2Caps&rh=i%3Aaps%2Ck%3Apc3200
-
http://www.amazon.com/s/ref=nb_sb_noss_1/190-7687956-8103958?url=search-alias%3Daps&field-keywords=pc3200&sprefix=pc3200%2Caps&rh=i%3Aaps%2Ck%3Apc3200
Thanks supermule for the link. But HP uses DDR Synch Dram PC3200 UNBUFFERED memory like Kingston's KTH-D530/1G. The motherboard seems very choosy about memories as I read at http://h30499.www3.hp.com/t5/Business-PCs-Compaq-Elite-Pro/DC7100-SDRAM-upgrade-2-x-1GB-appears-as-2-x-512MB/td-p/1152268, fyi.
I have two machines HP Compaq Deskpro dc7600 sff (http://h10010.www1.hp.com/wwpc/ca/en/sm/WF06b/12132708-12132884-12132884-12132884-12221730-12221860-77102439.html?dnr=1) besides this one. I guess the same KTH-D530/1G applies to this one, too.
Sorry, it sounds a hardware thread, but is the foundation to pfSense working ;-)
-
Sorry, it sounds a hardware thread, but is the foundation to pfSense working ;-)
Hi Zenny:
I replied to your e-mail as well with essentiall the same info as this post. 1.5 GB of RAM is just not enough for Snort with a lot of rules on multiple interfaces. I also noticed in the config.xml you sent me that a number of packages such as AV, SquidGuard, pfBlocker and others were also installed along with Snort. If all those packages fire up, a 1.5 GB of RAM box is going to be pretty stressed. As you are getting "out of swap space" errors, that leaves no doubt that the box is running out of physical RAM and even exhausting the virtual RAM in swap.
I would recommend at least a 4GB RAM box. Newegg in the USA did have a nice little 1U ASUS barebones server chassis for $279 US. You would have to provide a CPU and RAM, so that would up the total cost. There are also some Intel Atom-based servers made by Supermicro at Newegg. Those start at $379 if I remember correctly.
Bill
-
There must be something wrong with my system then ;), because I have sensors on WAN, LAN and WLAN. LAN and WLAN are set on IPS-balanced and WAN has some ET rulesets. I have 2 GB Ram and system is using almost 50% of the installed memory. But I don't have other demanding packages installed.
-
There must be something wrong with my system then ;), because I have sensors on WAN, LAN and WLAN. LAN and WLAN are set on IPS-balanced and WAN has some ET rulesets. I have 2 GB Ram and system is using almost 50% of the installed memory. But I don't have other demanding packages installed.
Zenny had a large number of other packages installed such as pfBlocker, Unbound, Squidguard, Sarg, spamd, HAVP, Squid, Varnish3, tinc, and a few others. That much stuff along with Snort and a lot of enabled rules won't mix well with 1.5 GB of RAM. I heard back that he is upgrading the firewall to 4 GB of RAM. Hopefully that will do the trick.
Bill
-
FYI
The following being enabled kept the WAN interface from turning on.
It will show enabled, but it will have that red X next to it and it refused to start.
After troubleshooting, I narrowed it down to this very specific rule (which you need to add to your exception list)
2011695 ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt Disclosure Attempt
If I disable that, then the WAN interface is able to show the green play button (running) without issue.
