Snort: Two firewalls, missing a lot of rules although similar configuration/setup (Solved)



  • My interface settings and global settings are identical on firewall A & B. The rules available are different. Firewall A seems to be missing a big amount of rules/categories. Can anyone help with this?

    This is FIREWALL A
    0_1545343177732_ruleset_a.PNG

    This is firewall B
    0_1545343334256_ruleset_b-1.PNG

    0_1545343359044_ruleset_b-2.PNG



  • The extraction of the Snort Subscriber Rules did not fully complete on firewall A. One possible reason is firewall A ran out of disk space in the /tmp directory. That's where the rules archives are downloaded to and extracted for copying to the system volume.

    Do a Forced Update of the rules on firewall A and see if that resolves the problem. Also make sure firewall A has at least 250 MB of free space in /tmp before you do the forced update.



  • Good call and will test that. A is actually using a ramdisk of 120M and the other one is using no ramdisk at all. This was a difference I hadn't seen. No actual recollection of what and why this configuraiton is like that.



  • This was it. What a simple solution for once.



  • @tsmalmbe said in Snort: Two firewalls, missing a lot of rules although similar configuration/setup (Solved):

    This was it. What a simple solution for once.

    Glad you got it sorted out. Snort or Suricata and RAM disks are not good matches. I always recommend no RAM disk when running either of those two packages.


Log in to reply