Snort reload/restart
-
Hi
I'm totally new to pfsense and snort but got it set up and running, so far so good. What I found is when ever I e.g. add a specific rule to the supress list from the snort alerts UI, the process is getting stopped and does not start by its own afterwards so I have to start it manually. Is this normal/by design or is there anything I'm missing?
-
@dialsc said in Snort reload/restart:
Hi
I'm totally new to pfsense and snort but got it set up and running, so far so good. What I found is when ever I e.g. add a specific rule to the supress list from the snort alerts UI, the process is getting stopped and does not start by its own afterwards so I have to start it manually. Is this normal/by design or is there anything I'm missing?
It should not stop. Have you looked in the system log to see what, if any, error messages might be showing up?
-
Thank you very much for your answer.
I can see this kind of behaviour on two independend pfsense installations. As soon as I click the "add to suppress list" cross button the logs start showing:
Jul 18 13:05:41 pfSense check_reload_status: Syncing firewall Jul 18 13:05:41 pfSense php-fpm[342]: /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for WAN_LAN_BRIDGE(bridge0)... Jul 18 13:05:41 pfSense php-fpm[342]: /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for WAN_LAN_BRIDGE(bridge0)... Jul 18 13:05:41 pfSense snort[40340]: Jul 18 13:05:41 pfSense snort[40340]: --== Reloading Snort ==-- Jul 18 13:05:41 pfSense snort[40340]: Jul 18 13:05:41 pfSense snort[40340]: PortVar 'DNS_PORTS' defined : Jul 18 13:05:41 pfSense snort[40340]: [ 53 ] . . .
Followed by this snipe after a lot of other log entries:
Jul 18 13:05:41 pfSense snort[40340]: PortVar 'GTP_PORTS' defined : Jul 18 13:05:41 pfSense snort[40340]: [ 2123 2152 3386 ] Jul 18 13:05:41 pfSense snort[40340]: Jul 18 13:05:41 pfSense snort[40340]: Detection: Jul 18 13:05:41 pfSense snort[40340]: Search-Method = AC-BNFA Jul 18 13:05:41 pfSense snort[40340]: Maximum pattern length = 20 Jul 18 13:05:41 pfSense snort[40340]: Search-Method-Optimizations = enabled Jul 18 13:05:42 pfSense snort[40340]: Found pid path directive (/var/run) Jul 18 13:05:42 pfSense snort[40340]: Snort Reload: Any change to the dynamic preprocessor configuration requires a restart. Jul 18 13:05:42 pfSense snort[40340]: Jul 18 13:05:42 pfSense snort[40340]: ***** Restarting Snort ***** Jul 18 13:05:42 pfSense snort[40340]: Jul 18 13:05:43 pfSense snort[40340]: =============================================================================== Jul 18 13:05:43 pfSense snort[40340]: Run time for packet processing was 24959.737680 seconds Jul 18 13:05:43 pfSense snort[40340]: Snort processed 3523987 packets. Jul 18 13:05:43 pfSense snort[40340]: Snort ran for 0 days 6 hours 55 minutes 59 seconds Jul 18 13:05:43 pfSense snort[40340]: Pkts/hr: 587331 Jul 18 13:05:43 pfSense snort[40340]: Pkts/min: 8491 Jul 18 13:05:43 pfSense snort[40340]: Pkts/sec: 141 Jul 18 13:05:43 pfSense snort[40340]: =============================================================================== . . .
Towards the end it reaches the following state:
Jul 18 13:05:43 pfSense snort[40340]: =============================================================================== Jul 18 13:05:43 pfSense snort[40340]: Application Identification Preprocessor: Jul 18 13:05:43 pfSense snort[40340]: Total packets received : 2831032 Jul 18 13:05:43 pfSense snort[40340]: Total packets processed : 2715732 Jul 18 13:05:43 pfSense snort[40340]: Total packets ignored : 115300 Jul 18 13:05:43 pfSense snort[40340]: =============================================================================== Jul 18 13:05:43 pfSense snort[40340]: +-----------------------[filtered events]-------------------------------------- Jul 18 13:05:43 pfSense snort[40340]: | gen-id=1 sig-id=2011716 type=Limit tracking=src count=5 seconds=120 filtered=72 . . . Jul 18 13:05:43 pfSense snort[40340]: | gen-id=122 sig-id=21 type=Suppress tracking=src-ip=<list> filtered=1
Then it just stops dumping information into the system.log log file and snort is stopped at the interface while Barnyard2 is still running.
As I mentioned above this is exactly the same behaviour as I see it on another box running snort on top of pfsense.
These are the details about the environment:
- pfsense version -> 2.4.4-RELEASE-p3
- snort version -> 3.2.9.8_6
-
Is the other box also configured with a bridge interface? That configuration is not something I have ever tested with the Snort package on pfSense.
-
No, it is not. Just two "ordinary" interfaces -> WAN & LAN.