Snort doesn't generate alerts on 2 interfaces

NelsonLopes

I'll try, it says Restrictions: 15 per post, maximum total size 300KB, maximum individual size 250KB tho…

As you can see there's more traffic on WAN1 & WAN2, which there is no alert than WAN3 & WAN4

![WAN1 Traffic 1 Month 1 Hour Average.png](/public/imported_attachments/1/WAN1 Traffic 1 Month 1 Hour Average.png)
![WAN1 Traffic 1 Month 1 Hour Average.png_thumb](/public/imported_attachments/1/WAN1 Traffic 1 Month 1 Hour Average.png_thumb)
![WAN2 Traffic 1 Month 1 Hour Average.png](/public/imported_attachments/1/WAN2 Traffic 1 Month 1 Hour Average.png)
![WAN2 Traffic 1 Month 1 Hour Average.png_thumb](/public/imported_attachments/1/WAN2 Traffic 1 Month 1 Hour Average.png_thumb)
![WAN3 Traffic 1 Month 1 Hour Average.png](/public/imported_attachments/1/WAN3 Traffic 1 Month 1 Hour Average.png)
![WAN3 Traffic 1 Month 1 Hour Average.png_thumb](/public/imported_attachments/1/WAN3 Traffic 1 Month 1 Hour Average.png_thumb)
![WAN4 Traffic 1 Month 1 Hour Average.png](/public/imported_attachments/1/WAN4 Traffic 1 Month 1 Hour Average.png)
![WAN4 Traffic 1 Month 1 Hour Average.png_thumb](/public/imported_attachments/1/WAN4 Traffic 1 Month 1 Hour Average.png_thumb)

Supermule

Post a picture of the snort interfaces….

NelsonLopes

Here you go:

![Snort Interfaces.png](/public/imported_attachments/1/Snort Interfaces.png)
![Snort Interfaces.png_thumb](/public/imported_attachments/1/Snort Interfaces.png_thumb)

Supermule

post a picture of the alerts section for all interfaces…

NelsonLopes

WAN1 & WAN2 are totally empty

WAN3 & WAN4 have a lot of

(ssp_ssl) Invalid Client HELLO after Server HELLO Detected

and some

 (spp_frag3) Fragmentation overlap

Supermule

Hmmmmm

Supermule

Delete Wan2 and Wan4 snort interfaces and see if it oicks up on Wan1.

If not delete all and remove package and reinstall. THen begin with only one interface that snort listens to. Then add one more at a time while you get alerts on all interfaces.

How is your memory coming along and are you swapping on the harddrive?

NelsonLopes

@Supermule:

Delete Wan2 and Wan4 snort interfaces and see if it oicks up on Wan1.

If not delete all and remove package and reinstall. THen begin with only one interface that snort listens to. Then add one more at a time while you get alerts on all interfaces.

I'll be doing that shortly, thank you for your help.

@Supermule:

How is your memory coming along and are you swapping on the harddrive?

On heavy load my memory goes up to 85%, and yes, I'm using swap (it's 39% mem. and 14% swap atm)

Supermule

Is Pfsense running physical or virtual?

NelsonLopes

@Supermule:

Is Pfsense running physical or virtual?

Physically.

bmeeks

Are these extra WAN interfaces part of a CARP or multi-WAN setup? Is there perhaps some asymmetrical routing going on?

If so, this could trip up Snort as some alerts depend on flowbits set by previous traffic. If that previous traffic was seen on a "different interface" (as in one of the other WAN pathways), then the alert with that set flowbit dependency would not fire. Not saying this is your issue, but it is something to be considered.

Another possibility, if any asymmetrical routing is happening, is the stream5 preprocessor can fail to correctly reassemble streams if it does not see all of the traffic. Remember that Snort really runs as totally separate and autonomous processes – one per interface. So it's basically like having physically separate computers running Snort. Any weirdness with routing between those multiple WANs could trip up those independent Snort processes.

Bill