Snort on nano with cf - how often is it read only?

newbieuser1234

I know I have asked this before, but I am still not clear on the answer.  It's probably just me.  How often does snort write to the cf card if I just run the scan rules on wan? I want to install the nano version at a client with just port scan blocking. I have been running snort on nano with a cf for a while with no issues, but I don't want to have a ticking time bomb with snort.  If I have to run a HDD, I will.  I haven't had the best luck with an intel 520 SSD. It's fast, but I am receive responsiveness errors in the web gui and services are dying.  weird stuff.

Also, what about putting the nano install on an SSD?

jimp

Snort should only write when the service is reloaded or the rules are updates AFAIK. So not too often.

With a nice SLC CF it may not be much to worry about.

Or with an Intel 320 or S3500 series SSD.

newbieuser1234

I see this in the system logs.

Jan 10 18:15:02 php: /snort/snort_download_rules.php: [Snort] The Rules update has finished.
Jan 10 18:15:02 php: /snort/snort_download_rules.php: [Snort] Emerging Threats Open rules are up to date…
Jan 10 18:14:41 php: /snort/snort_preprocessors.php: Could not open /usr/pbi/snort-amd64/etc/snort/snort_9330_em1/snort.conf for writing.
Jan 10 18:14:41 php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
Jan 10 18:14:41 php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
Jan 10 18:14:37 php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …
Jan 10 18:14:37 php: /snort/snort_preprocessors.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/pbi/snort-amd64/etc/snort/snort_9330_em1/preproc_rules/decoder.rules' returned exit code '1', the output was 'sed: /usr/pbi/snort-amd64/etc/snort/snort_9330_em1/preproc_rules/decoder.rules: Read-only file system'
Jan 10 18:14:37 php: /snort/snort_preprocessors.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/pbi/snort-amd64/etc/snort/snort_9330_em1/preproc_rules/preprocessor.rules' returned exit code '1', the output was 'sed: /usr/pbi/snort-amd64/etc/snort/snort_9330_em1/preproc_rules/preprocessor.rules: Read-only file system'
Jan 10 18:14:37 check_reload_status: Syncing firewall

Is it trying to mount the file system, failing, then actually mounting it read / write.  snort appears to be functioning correctly from a blocking perspective.

bmeeks

@newbieuser1234:

I see this in the system logs.

Jan 10 18:15:02 php: /snort/snort_download_rules.php: [Snort] The Rules update has finished.
Jan 10 18:15:02 php: /snort/snort_download_rules.php: [Snort] Emerging Threats Open rules are up to date…
Jan 10 18:14:41 php: /snort/snort_preprocessors.php: Could not open /usr/pbi/snort-amd64/etc/snort/snort_9330_em1/snort.conf for writing.
Jan 10 18:14:41 php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
Jan 10 18:14:41 php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
Jan 10 18:14:37 php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …
Jan 10 18:14:37 php: /snort/snort_preprocessors.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/pbi/snort-amd64/etc/snort/snort_9330_em1/preproc_rules/decoder.rules' returned exit code '1', the output was 'sed: /usr/pbi/snort-amd64/etc/snort/snort_9330_em1/preproc_rules/decoder.rules: Read-only file system'
Jan 10 18:14:37 php: /snort/snort_preprocessors.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/pbi/snort-amd64/etc/snort/snort_9330_em1/preproc_rules/preprocessor.rules' returned exit code '1', the output was 'sed: /usr/pbi/snort-amd64/etc/snort/snort_9330_em1/preproc_rules/preprocessor.rules: Read-only file system'
Jan 10 18:14:37 check_reload_status: Syncing firewall

Is it trying to mount the file system, failing, then actually mounting it read / write.  snort appears to be functioning correctly from a blocking perspective.

This is a bug.  I'm working now on correcting a couple of other ones, so I will add this one to the list.  The code is neglecting to mount the file system read-write before attempting to update one of the preprocessor decoder rules files.

This bug is only significant if you have some customized sensitive data preproc rules.  Most users do not, and thus this bug is a nuisance only.

Bill

newbieuser1234

bmeeks, you are in agreement also that snort can be run for a lengthy time on a slc industrial cf without issues if you don't update the rules every hour, etc? What is your opinion as you are the maintainer of the code?

bmeeks

@newbieuser1234:

bmeeks, you are in agreement also that snort can be run for a lengthy time on a slc industrial cf without issues if you don't update the rules every hour, etc? What is your opinion as you are the maintainer of the code?

I don't think you will have problems using Snort with a flash card.  You will want to run a minimal rule set due to probably memory constraints, but I would not sweat how many disk writes Snort does.  The suggested rule update interval is 12 hours, but once per day is also sufficient.  Snort VRT rules update on Tuesdays and Thursdays in the afternoon U.S. time.  Rarely there may be a special update on a different day, but I do mean rarely.  The Emerging Threats rules are more frequently updated (generally once per day on average).

Bill

newbieuser1234

Thank you Jim and Bill.