Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort ruleset update causing firewall to crash/reboot

    Scheduled Pinned Locked Moved IDS/IPS
    9 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      msf2000
      last edited by

      Hi, I tried to enable ET rules and a regular update in the web GUI....
      After freezing for a while, the firewall rebooted itself!
      Now, Snort is broken and anytime I do a rule update, it crashes the firewall.

      I've tried uninstalling the Snort package completely, and then reinstalling. Same result.

      Any other ideas?

      1 Reply Last reply Reply Quote 0
      • M
        msf2000
        last edited by

        I should add, this is the contents of the snort_rules_update.log file just before firewall crashes:
        Starting rules update... Time: 2018-07-15 18:29:00
        Downloading Snort Subscriber rules md5 file snortrules-snapshot-29111.tar.gz.md5...
        Checking Snort Subscriber rules md5 file...
        There is a new set of Snort Subscriber rules posted.
        Downloading file 'snortrules-snapshot-29111.tar.gz'...
        Done downloading rules file.
        Extracting and installing Snort Subscriber Ruleset...

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire
          last edited by

          Out of disk space?
          Out of memory?

          When uninstalling there is an option in most packages to either save or not save the settings and data. That's to facilitate removing a package prior to a pfSense upgrade. You might try setting that so the data is deleted when the package is removed? (can restore from backup later...)

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • M
            msf2000
            last edited by

            Memory usage is 7% right now, and that's with /tmp and /var in "ufs in RAM" as 512MB each. This is a brand-new SG-3100 bought a couple weeks ago.

            In the Services --> Snort --> Global Settings page, I did uncheck "Click to retain Snort settings after package removal." However, re-install does preserve my settings, so this feature is broken on my box.

            1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire
              last edited by

              Brainstorming for you, perhaps reset to factory defaults (Diagnostics/Factory Defaults) and restore your backup? Restoring from backup should attempt to install Snort (and any other package) for you after it restarts if it was installed when the backup was made.

              We have been using Suricata not Snort but haven't had any such issues with Suricata on SG-3100s.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 0
              • M
                msf2000
                last edited by

                @teamits said in Snort ruleset update causing firewall to crash/reboot:

                Suricata

                Yeah, I think all I have left is reset to factory. I'll try that after-hour today.

                Do you have all the same community signature/rule sets in Suricata as in Snort?

                1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire
                  last edited by

                  Haven't used Snort, but Suricata has ETOpen, ETPro, "Snort free Registered User or paid Subscriber rules" and Snort Community Ruleset (GPLv2).

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  1 Reply Last reply Reply Quote 0
                  • M
                    msf2000
                    last edited by

                    Restoring factory defaults, restoring configuration from XML file, the snort rule update got as far as updating the Snort VRT rule set, then the firewall locked-up and crashed again. :(

                    After hard-rebooting, I found this in the system logs:
                    FATAL ERROR: /usr/local/etc/snort/snort_12403_mvneta2//usr/local/etc/snort/snort_12403_mvneta2/rules/snort.rules(0) Unable to open rules file "/usr/local/etc/snort/snort_12403_mvneta2//usr/local/etc/snort/snort_12403_mvneta2/rules/snort.rules": No such file or directory.

                    1 Reply Last reply Reply Quote 0
                    • M
                      msf2000
                      last edited by

                      I think I may have found the problem by uninstalling snort and trying suricata:

                      After installing suricata, same problem happens. Then I tried an older version of the snort rules:
                      snortrules-snapshot-29110.tar.gz works
                      snortrules-snapshot-29111.tar.gz causes firewall to crash!

                      So, something is definitely wrong with the pfSense code... a content update should not crash the firewall!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.