Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort nginx upstream timeout error

    Scheduled Pinned Locked Moved IDS/IPS
    8 Posts 4 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chamele0n
      last edited by

      For the last couple versions of pfSense I have been having a hard time starting snort. I'm just getting around to deep diving into it and fix the problem.

      System: Watchguard 1250e x-core
      Storage Type: NanoBSD/CF card (I know i need to change that moving forward soon)
      pfSense Version: 2.3-Release

      When I start snort on WAN adapter it takes about 2-3 minutes, then I receive a 504 gateway timeout and here is what's in the System Log.

      Jul 5 21:15:45 pfsense.domain.local nginx: 2016/07/05 21:15:45 [error] 45943#0: *1792 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.2.23, server: , request: "POST /snort/snort_interfaces.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.2.1", referrer: "http://192.168.2.1/snort/snort_interfaces.php"
      Jul 5 21:12:48 php-fpm 74575 /snort/snort_interfaces.php: [Snort] Snort START for WAN(sk0)…
      Jul 5 21:12:48 php-fpm 74575 /snort/snort_interfaces.php: Starting Snort on WAN(sk0) per user request...
      Jul 5 21:12:47 php-fpm 74575 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN…
      Jul 5 21:12:47 php-fpm 74575 /snort/snort_interfaces.php: [Snort] WARNING: Flowbit resolution not done - no rules in /usr/local/etc/snort/rules/ …
      Jul 5 21:12:47 php-fpm 74575 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
      Jul 5 21:12:46 php-fpm 74575 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
      Jul 5 21:12:13 snort 78685 FATAL ERROR: /usr/local/etc/snort/snort_35781_sk0//usr/local/etc/snort/snort_35781_sk0/rules/snort.rules(0) Unable to open rules file "/usr/local/etc/snort/snort_35781_sk0//usr/local/etc/snort/snort_35781_sk0/rules/snort.rules": No such file or directory.
      Jul 5 21:12:13 SnortStartup 78352 Snort START for WAN(35781_sk0)...

      I have done some vague research and it seems like it might be pointing to a php-pfm directive maybe? or fastcgi parameters, but I really don't know a lot about that. Anyone seen this error or have any ideas what to try? If you need any more information or screenshots of settings let me know.

      Thank you.

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        @chamele0n:

        Storage Type: NanoBSD/CF card (I know i need to change that moving forward soon)

        It says it all above :)

        Nano predominantly causes issues due to lack of storage space in /var/ and /tmp… Try to increase the size of those partitions form the Advanced Menu options...

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • C
          chamele0n
          last edited by

          Thank you for the reply BBcan177, I honestly feel honored. I've seen you contribute so much to bug fixes and packages. Nice work by the way. I will look at increasing those values.

          I run a 4GB card with 4GB snapshot, do you have any recommendations on values, or the best way to determine what I should set them to? Does it depend on packages or anything else I have installed?

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            Thanks!

            Check out the following thread from the Snort/Suricata Dev..
            https://forum.pfsense.org/index.php?topic=113623.msg631758#msg631758

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • C
              chamele0n
              last edited by

              I have increased the /tmp to 120MB and /var to 180MB and rebooted, but still get the 504 gateway timeout error. Nginx error in the system log looks similar.

              nginx: 2016/07/05 22:35:52 [error] 43208#0: *1 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.2.23, server: , request: "POST /snort/snort_interfaces.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.2.1", referrer: "http://192.168.2.1/snort/snort_interfaces.php"

              1 Reply Last reply Reply Quote 0
              • N
                ngnrpugmx.com
                last edited by

                Chamaeleon!

                I am facing same issue of "504 gateway time out" during snort reloading of plugin. Have you resolve the problem?

                Love me or hate , but do not judge me. :)

                1 Reply Last reply Reply Quote 0
                • C
                  chamele0n
                  last edited by

                  Sadly, I've not been able to resolve this yet.

                  1 Reply Last reply Reply Quote 0
                  • L
                    Lanes
                    last edited by

                    I am having this issue as well. It appeared more or less out of nowhere…

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.