Snort nginx upstream timeout error



  • For the last couple versions of pfSense I have been having a hard time starting snort. I'm just getting around to deep diving into it and fix the problem.

    System: Watchguard 1250e x-core
    Storage Type: NanoBSD/CF card (I know i need to change that moving forward soon)
    pfSense Version: 2.3-Release

    When I start snort on WAN adapter it takes about 2-3 minutes, then I receive a 504 gateway timeout and here is what's in the System Log.

    Jul 5 21:15:45 pfsense.domain.local nginx: 2016/07/05 21:15:45 [error] 45943#0: *1792 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.2.23, server: , request: "POST /snort/snort_interfaces.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.2.1", referrer: "http://192.168.2.1/snort/snort_interfaces.php"
    Jul 5 21:12:48 php-fpm 74575 /snort/snort_interfaces.php: [Snort] Snort START for WAN(sk0)…
    Jul 5 21:12:48 php-fpm 74575 /snort/snort_interfaces.php: Starting Snort on WAN(sk0) per user request...
    Jul 5 21:12:47 php-fpm 74575 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN…
    Jul 5 21:12:47 php-fpm 74575 /snort/snort_interfaces.php: [Snort] WARNING: Flowbit resolution not done - no rules in /usr/local/etc/snort/rules/ …
    Jul 5 21:12:47 php-fpm 74575 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Jul 5 21:12:46 php-fpm 74575 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    Jul 5 21:12:13 snort 78685 FATAL ERROR: /usr/local/etc/snort/snort_35781_sk0//usr/local/etc/snort/snort_35781_sk0/rules/snort.rules(0) Unable to open rules file "/usr/local/etc/snort/snort_35781_sk0//usr/local/etc/snort/snort_35781_sk0/rules/snort.rules": No such file or directory.
    Jul 5 21:12:13 SnortStartup 78352 Snort START for WAN(35781_sk0)...

    I have done some vague research and it seems like it might be pointing to a php-pfm directive maybe? or fastcgi parameters, but I really don't know a lot about that. Anyone seen this error or have any ideas what to try? If you need any more information or screenshots of settings let me know.

    Thank you.


  • Moderator

    @chamele0n:

    Storage Type: NanoBSD/CF card (I know i need to change that moving forward soon)

    It says it all above :)

    Nano predominantly causes issues due to lack of storage space in /var/ and /tmp… Try to increase the size of those partitions form the Advanced Menu options...



  • Thank you for the reply BBcan177, I honestly feel honored. I've seen you contribute so much to bug fixes and packages. Nice work by the way. I will look at increasing those values.

    I run a 4GB card with 4GB snapshot, do you have any recommendations on values, or the best way to determine what I should set them to? Does it depend on packages or anything else I have installed?


  • Moderator

    Thanks!

    Check out the following thread from the Snort/Suricata Dev..
    https://forum.pfsense.org/index.php?topic=113623.msg631758#msg631758



  • I have increased the /tmp to 120MB and /var to 180MB and rebooted, but still get the 504 gateway timeout error. Nginx error in the system log looks similar.

    nginx: 2016/07/05 22:35:52 [error] 43208#0: *1 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.2.23, server: , request: "POST /snort/snort_interfaces.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.2.1", referrer: "http://192.168.2.1/snort/snort_interfaces.php"



  • Chamaeleon!

    I am facing same issue of "504 gateway time out" during snort reloading of plugin. Have you resolve the problem?

    Love me or hate , but do not judge me. :)



  • Sadly, I've not been able to resolve this yet.



  • I am having this issue as well. It appeared more or less out of nowhere…


Log in to reply