Dual port intel card snort problem
-
i have a problem with my snort using my new dual port 1 gbps intel card. snort does not start eventhough i click the start snort.
it gives me error
_/snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 56344 -D -q –suppress-config-log -l /var/log/snort/snort_em156344 --pid-path /var/run --nolock-pidfile -G 56344 -c /usr/local/etc/snort/snort_56344_em1/snort.conf -i em1' returned exit code '11', the output was ''
pid 52255 (snort), uid 0: exited on signal 11_
i have no problem with my realtek cards and build in lan port, promiscuous is functioning when i start snort in both except for my new intel card.
-
When you say "new dual port intel card", does that imply you had Snort running on a different card type initially and you swapped out that NIC for this new one? If so, and the new NIC has a different physical name like say "em" as opposed to "re", then that can confuse Snort. If this is your case, you will have to delete the Snort interface and re-create it from scratch on the new NIC.
Bill
-
the snort interface is already assign to em1 which is my WAN1. i recreate my snort interface still the problem persist.
edit:
snort is now working on wan1 only if I set IP to Block = destination, when I set back to source snort stops. same with my realtek nic
-
You need to right away change the Pattern Matcher from AC to AC-BNFA-NQ. I wish the Snort guys would remove the AC matcher. It eats memory like crazy and results in crashes. I bet if you set the Pattern Matcher to AC-BNFA-NQ and restart Snort, your issues go away.
I have seriously considered removing that option entirely from the pfSense Snort package, but have not yet. Almost every user that has tried to use that setting reports severe problems eventually. They switch to AC-BNFA or AC-BNFA-NQ and things are fine.
Bill
-
I already change to AC-BNFA still having the IP to Block source problem, the only way is to use both or destination. many thanks for the help