Share Oinkmaster code?
-
Hi,
Can Snort and Suricata share same Oinkmaster code? It seems that setting up Snort and Suricate on the same pfSense box are having weired behavior, not sure if its due to use the same code or not.
-
About 300% sure your "weired behaviour" has nothing to do with Oinmaster codes and everything to do with overloading your poor computer with two huge and potentially conflicting resource hogs.
-
Well, when I setup Suricata, its not even enabled yet, but the Snort WAN interface was auto disabled for NO REASON. I don't think my Supermicro C2558 + 160 gb SSD + 16 gb ecc ram is a poor computer either.
-
Since the Snort LAN interface is working fine, I'm starting to think that it could be one of the ET rules that disabled WAN interface when Snort was restarted after an auto ruleset update.
This earlier morning at 2:00am, an auto ruleset update doesn't disable Snort WAN interface because Snort wasn't restarted. This afternoon at 2:00pm, an auto ruleset auto update was triggered again, this time there was a new set of Snort GPLv2 Community Rules posted, so Snort get restarted, and the WAN interface got disabled afterward.
BUT, why enable it MANUALLY make the interface worked?
-
You posted zero information about the configuration in place, no logs, nothing. "Weird behaviour" is not a useful description of a problem. Frankly, it's useless. This won't go anywhere as it is. Before any further troubleshooting, you should perhaps post why do need to run both these things in the first place. Hopefully also you are aware that you cannot have both of these running in blocking mode at the same time.
-
You posted zero information about the configuration in place, no logs, nothing. "Weird behaviour" is not a useful description of a problem. Frankly, it's useless. This won't go anywhere as it is. Before any further troubleshooting, you should perhaps post why do need to run both these things in the first place. Hopefully also you are aware that you cannot have both of these running in blocking mode at the same time.
No logs because of I turned off the log. I want to try Suricata, and I knew that both can't be running at same time, so I was setting Suricata up without enabling all its interfaces. Meanwhile the Snort can be still running until Suricata is set and enabled. But for some reason, when I set up the rulesets for Suricata wan interface, the Snort wan interface was disabled.
-
OK, so you are troubleshooting by turning off logging. Excellent. Good luck.
-
OK, so you are troubleshooting by turning off logging. Excellent. Good luck.
The log was off when I setup the Suricata and got the problem. I'm not saying that I'm troubleshooting by turning off logging, I turned the log on but Snort was disabled already.
-
@doktornotor is correct. You should not generally run both Snort and Suricata on the same machine. They share lots of things and there are places where they can conflict and step on each other. I recommend users choose one or the other, but not both. You can run both, but only one can be in blocking mode! Just realize that running both will be a huge RAM drain. Running both can also suck up a lot of CPU time.
Bill
-
@doktornotor is correct. You should not generally run both Snort and Suricata on the same machine. They share lots of things and there are places where they can conflict and step on each other. I recommend users choose one or the other, but not both. You can run both, but only one can be in blocking mode! Just realize that running both will be a huge RAM drain. Running both can also suck up a lot of CPU time.
Bill
Are you guys telling me that I need to uninstall Snort first, or stop Snort service before installing Suricata?, I don't think that I was saying I ran them both. What I said was that I was setting up Suricata without activating it, Suricata service was not running. Snort wan interface was auto disabled when I was setting up the Suricata wan interface, again at that time Suricata service was not running.
-
Yeah, we are telling you to pick one and use it… Other than that, you still provided ZERO information to debug any issues.
