Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Rules in pfsense always failed

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 2 Posters 607 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rifanrcd
      last edited by rifanrcd

      InkedScreenshot_2019-10-22 pfSense localdomain - Services Snort Global Settings_LI.jpg
      that's is my global setting
      9d053352-5f34-4d2f-ae71-534d56a3f49b-image.png
      that's my interface setting.
      my question is when i want to uupdate my snort rules it always failed, when i try with the latest it failed again.colored text

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        First of all, you really should not post your Oinkcode to a public site. That is your private subscription code.

        You need to look in the pfSense system log (STATUS > SYSTEM LOG) to see what error messages are printed while Snort is attempting to start. It will generally tell you what is wrong by logging a message in the pfSense system log.

        What happens when you click on the Start icon on the INTERFACES tab? Try clicking that icon. You should see the status icon change to a spinning gear and then either change to a green check or change back to the red X. If you get the red X, then immediately look in the pfSense system log and review any logged messages relating to Snort.

        Post back here with your results.

        R 1 Reply Last reply Reply Quote 1
        • R
          rifanrcd @bmeeks
          last edited by

          @bmeeks
          a18e9905-9d96-4dcd-99ff-4b3a1b4c07c3-image.png
          that's mys systemlog

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            Not that it really should matter in terms of starting up, but you apparently have no rules selected for your LAN interface. That means Snort would not be really doing anything for you even if it started. At 10:11:19 in the log is a warning about "no text rules or IPS Policy selected for: LAN".

            Your Snort Subscriber Rules are also failing to download. Notice the "Server returned error code 505" message in the log at 10:10:28. The most likely cause of that is a trailing space in your Oinkcode. Retype or paste in your Oinkcode again and be sure that is no trailing space at the end and that every character is correct.

            So from the log, Snort appears to have started successfully. Does it still not show as running?

            Open a CLI (command line interface) session on the firewall either directly on the console or via an SSH connection and see what the output of this command is --

            ps -ax | grep snort

            Do you see any running Snort processes in the output of that command?

            I also see a Gateway Alarm message in the log. If that happens often and if the gateway monitoring logs a "gateway down" message, that will trigger pfSense to issue a "restart all packages" command. If more than one instance of that happens in rapid succession it can result in the Snort process either getting clobbered, or sometimes, two duplicate Snort processes getting started.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.