Snort keeps turning itself off
-
I've configured Snort on my WAN interface. When I turn it on it stays on for maybe 10 seconds and then turns back off. Looking at the system logs it seems the task is being killed by "signal 10". Can anyone speak to what that is and what the cause might be?
kernel pid 95567 (snort), uid 0: exited on signal 10
kernel mvneta2: promiscuous mode disabled -
@mhartwick:
I've configured Snort on my WAN interface. When I turn it on it stays on for maybe 10 seconds and then turns back off. Looking at the system logs it seems the task is being killed by "signal 10". Can anyone speak to what that is and what the cause might be?
kernel pid 95567 (snort), uid 0: exited on signal 10
kernel mvneta2: promiscuous mode disabledWhat kind of hardware are you running on? Is it an Intel CPU or ARM? I believe there are some incompatibility issues with Snort and ARM CPUs (in particular with the shared-object pre-compiled rules). Also, have you updated to the latest version of the Snort package?
If you are running on ARM hardware (say the new SG-3100 box from Netgate), then checkout this post: https://forum.pfsense.org/index.php?topic=139273.msg761915#msg761915.
Bill
-
@mhartwick:
I've configured Snort on my WAN interface. When I turn it on it stays on for maybe 10 seconds and then turns back off. Looking at the system logs it seems the task is being killed by "signal 10". Can anyone speak to what that is and what the cause might be?
kernel pid 95567 (snort), uid 0: exited on signal 10
kernel mvneta2: promiscuous mode disabledWhat kind of hardware are you running on? Is it an Intel CPU or ARM? I believe there are some incompatibility issues with Snort and ARM CPUs (in particular with the shared-object pre-compiled rules). Also, have you updated to the latest version of the Snort package?
If you are running on ARM hardware (say the new SG-3100 box from Netgate), then checkout this post: https://forum.pfsense.org/index.php?topic=139273.msg761915#msg761915.
Bill
Thanks Bill. I am using the SG-3100 so ARM hardware it is, however I don't see the shared objects section you mention. I've checked some other sections and it I don't see anything that seems related. Is it at this point I should give up on Snort and try Suricata or do you have any other recommendations to try? I'm on Snort 3.2.9.5_3 which looks like the latest version.
-
On the CATEGORIES tab for a Snort interface you will see a column over on the far right labelled Snort SO Rules if you have Snort VRT rules enabled on the GLOBAL SETTINGS tab. All the categories under that vertical column are the shared-object rules. If you don't have the VRT rules enabled, then the column is hidden. So if you are only using Emerging Threats rule, the column is hidden.
Give Suricata a try. It should work better, but there may still be some issues with ARM hardware. I've seen some posts with issues in other packages related to ARM hardware. There are some compiler settings that will likely need tweaking by the pfSense team in order to get all the packages to compile properly for ARM hardware. There are apparently some byte-alignment issues to contend with in ARM land that Intel land is happy with.
ARM is not a clone of Intel like the AMD processors. With Intel or AMD, it's pretty much identical in terms of instruction set and memory access requirements. ARM is a completely different CPU platform and has its own instruction set and a different set of memory access requirements.
Bill
-
On the CATEGORIES tab for a Snort interface you will see a column over on the far right labelled Snort SO Rules if you have Snort VRT rules enabled on the GLOBAL SETTINGS tab. All the categories under that vertical column are the shared-object rules. If you don't have the VRT rules enabled, then the column is hidden. So if you are only using Emerging Threats rule, the column is hidden.
Give Suricata a try. It should work better, but there may still be some issues with ARM hardware. I've seen some posts with issues in other packages related to ARM hardware. There are some compiler settings that will likely need tweaking by the pfSense team in order to get all the packages to compile properly for ARM hardware. There are apparently some byte-alignment issues to contend with in ARM land that Intel land is happy with.
ARM is not a clone of Intel like the AMD processors. With Intel or AMD, it's pretty much identical in terms of instruction set and memory access requirements. ARM is a completely different CPU platform and has its own instruction set and a different set of memory access requirements.
Bill
Thanks Bill. Suricata does the trick.