Can't Remove / Re-install Snort
-
Thanks Bill that worked. Removing those retained settings allowed the installation to complete.
I'm still having problems installing Snort rules though. I have an Oink code and am installing the free VRT rules only. The installation gets stuck on 'Installing Sourcefire VRT Rules' a few moments later I can see the WAN interface loses connection momentariily (like an interface reset) and the web browser just twirls till it looks like the pfsense session times out.
I log back into pfSense and check to see if the rules have been installed on the Snort - Updates tab and it says Not Downloaded.
Its as if the install of the rules is dependent on the browser session being active, rather than a service that is started to initiate a download and install of the rules in the background.
-
Thanks Bill that worked. Removing those retained settings allowed the installation to complete.
I'm still having problems installing Snort rules though. I have an Oink code and am installing the free VRT rules only. The installation gets stuck on 'Installing Sourcefire VRT Rules' a few moments later I can see the WAN interface loses connection momentariily (like an interface reset) and the web browser just twirls till it looks like the pfsense session times out.
I log back into pfSense and check to see if the rules have been installed on the Snort - Updates tab and it says Not Downloaded.
Its as if the install of the rules is dependent on the browser session being active, rather than a service that is started to initiate a download and install of the rules in the background.
I suggest checking with the Snort VRT folks and verifying that your Oinkcode is still valid. There was another user a few weeks back whose Oinkcode got messed up during the VRT web site updates in early July. He had to contact them to straighten things out.
There is nothing during the rules download process that should reset your WAN interface or any other interface. It simply uses curl to download the file over https://. Now, if for some other unrelated reason, your WAN interface bounces, then "yes" that will confuse the rules download process.
Bill
-
I tried to re-install the rules today and it worked. Not sure why it didn't work yesterday after the new install but works today. The only setting I have enabled is to check for updates every 12 hours. Maybe this cleared something??
-
Justed tried adding the Emerging Threats rules as well, but now receiving this error message:
08-14-14 14:19:01 [ There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [24]: table persist file /etc/bogonsv6]
My Alix has 256MB RAM, so I'll remove Emerging Threats (ETOpen) and stick to VRT.
-
Justed tried adding the Emerging Threats rules as well, but now receiving this error message:
08-14-14 14:19:01 [ There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [24]: table persist file /etc/bogonsv6]
My Alix has 256MB RAM, so I'll remove Emerging Threats (ETOpen) and stick to VRT.
Whoa! 256 MB of RAM is nowhere near enough to run Snort with any decent set of rules. You need at least 1 GB and preferably 2 GB of RAM. You have exhausted the memory available to pfSense, and that is the cause of the error you see.
I did not ask earlier, but this low amount of RAM is probably the root of all the problems you are having. You just don't have enough memory to run extra packages, and especially memory-hungry ones such as Snort or Suricata.
Bill
-
08-14-14 14:19:01 [ There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [24]: table persist file /etc/bogonsv6]
This error is related to the Max Table Entry Size in pfSense.
You can increase the size of the table in:
System:Advanced:Firewall/NAT: Firewall Maximum Table Entries
Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined. Note: Leave this blank for the default.
-
08-14-14 14:19:01 [ There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [24]: table persist file /etc/bogonsv6]
This error is related to the Max Table Entry Size in pfSense.
You can increase the size of the table in:
System:Advanced:Firewall/NAT: Firewall Maximum Table Entries
Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined. Note: Leave this blank for the default.
That may fix that particular error, but with only 256 MB of RAM more troubles will likely follow if you use Snort or Suricata or other memory-intensive packages.
Bill
-
That may fix that particular error, but with only 256 MB of RAM more troubles will likely follow if you use Snort or Suricata or other memory-intensive packages.
Yes that is a definite issue…. Need atleast 3-4GB at minimum....
-
I have sorted the hardware issue for now. I exported the config from the Alix, created a new pfSense VM and imported the config. The difference is night and day, it is so much faster working with the GUI and adding or removing packages.
I still seem to have one lingering problem though. Some websites still seem to be blocked, or, certain elements of the page are blocked (such as banner adds etc) even though Snort is removed.
My question now is; what is the config file that holds the list of IP's being blocked and where is it located. I want to flush this out so I can start Snort from scratch.
-
There is a table called "Snort2c" which you can see in Diagnostics:Tables
If the file is there, you can open it and click the "all" icon at the bottom to clear it.
If Snort is installed, you can clear the table by going to the Snort:Blocked Tab and hitting the "Clear" Icon.
