Snort: Two firewalls, missing a lot of rules although similar configuration/setup (Solved)
-
My interface settings and global settings are identical on firewall A & B. The rules available are different. Firewall A seems to be missing a big amount of rules/categories. Can anyone help with this?
This is FIREWALL A
This is firewall B
-
The extraction of the Snort Subscriber Rules did not fully complete on firewall A. One possible reason is firewall A ran out of disk space in the /tmp directory. That's where the rules archives are downloaded to and extracted for copying to the system volume.
Do a Forced Update of the rules on firewall A and see if that resolves the problem. Also make sure firewall A has at least 250 MB of free space in /tmp before you do the forced update.
-
Good call and will test that. A is actually using a ramdisk of 120M and the other one is using no ramdisk at all. This was a difference I hadn't seen. No actual recollection of what and why this configuraiton is like that.
-
This was it. What a simple solution for once.
-
@tsmalmbe said in Snort: Two firewalls, missing a lot of rules although similar configuration/setup (Solved):
This was it. What a simple solution for once.
Glad you got it sorted out. Snort or Suricata and RAM disks are not good matches. I always recommend no RAM disk when running either of those two packages.