Snort ruleset update causing firewall to crash/reboot



  • Hi, I tried to enable ET rules and a regular update in the web GUI....
    After freezing for a while, the firewall rebooted itself!
    Now, Snort is broken and anytime I do a rule update, it crashes the firewall.

    I've tried uninstalling the Snort package completely, and then reinstalling. Same result.

    Any other ideas?



  • I should add, this is the contents of the snort_rules_update.log file just before firewall crashes:
    Starting rules update... Time: 2018-07-15 18:29:00
    Downloading Snort Subscriber rules md5 file snortrules-snapshot-29111.tar.gz.md5...
    Checking Snort Subscriber rules md5 file...
    There is a new set of Snort Subscriber rules posted.
    Downloading file 'snortrules-snapshot-29111.tar.gz'...
    Done downloading rules file.
    Extracting and installing Snort Subscriber Ruleset...



  • Out of disk space?
    Out of memory?

    When uninstalling there is an option in most packages to either save or not save the settings and data. That's to facilitate removing a package prior to a pfSense upgrade. You might try setting that so the data is deleted when the package is removed? (can restore from backup later...)



  • Memory usage is 7% right now, and that's with /tmp and /var in "ufs in RAM" as 512MB each. This is a brand-new SG-3100 bought a couple weeks ago.

    In the Services --> Snort --> Global Settings page, I did uncheck "Click to retain Snort settings after package removal." However, re-install does preserve my settings, so this feature is broken on my box.



  • Brainstorming for you, perhaps reset to factory defaults (Diagnostics/Factory Defaults) and restore your backup? Restoring from backup should attempt to install Snort (and any other package) for you after it restarts if it was installed when the backup was made.

    We have been using Suricata not Snort but haven't had any such issues with Suricata on SG-3100s.



  • @teamits said in Snort ruleset update causing firewall to crash/reboot:

    Suricata

    Yeah, I think all I have left is reset to factory. I'll try that after-hour today.

    Do you have all the same community signature/rule sets in Suricata as in Snort?



  • Haven't used Snort, but Suricata has ETOpen, ETPro, "Snort free Registered User or paid Subscriber rules" and Snort Community Ruleset (GPLv2).



  • Restoring factory defaults, restoring configuration from XML file, the snort rule update got as far as updating the Snort VRT rule set, then the firewall locked-up and crashed again. :(

    After hard-rebooting, I found this in the system logs:
    FATAL ERROR: /usr/local/etc/snort/snort_12403_mvneta2//usr/local/etc/snort/snort_12403_mvneta2/rules/snort.rules(0) Unable to open rules file "/usr/local/etc/snort/snort_12403_mvneta2//usr/local/etc/snort/snort_12403_mvneta2/rules/snort.rules": No such file or directory.



  • I think I may have found the problem by uninstalling snort and trying suricata:

    After installing suricata, same problem happens. Then I tried an older version of the snort rules:
    snortrules-snapshot-29110.tar.gz works
    snortrules-snapshot-29111.tar.gz causes firewall to crash!

    So, something is definitely wrong with the pfSense code... a content update should not crash the firewall!