Snort: Two firewalls, missing a lot of rules although similar configuration/setup (Solved)

tsmalmbe · Dec 21, 2018, 4:54 PM

My interface settings and global settings are identical on firewall A & B. The rules available are different. Firewall A seems to be missing a big amount of rules/categories. Can anyone help with this?

This is FIREWALL A

This is firewall B

bmeeks · Dec 21, 2018, 2:09 PM

The extraction of the Snort Subscriber Rules did not fully complete on firewall A. One possible reason is firewall A ran out of disk space in the /tmp directory. That's where the rules archives are downloaded to and extracted for copying to the system volume.

Do a Forced Update of the rules on firewall A and see if that resolves the problem. Also make sure firewall A has at least 250 MB of free space in /tmp before you do the forced update.

tsmalmbe · Dec 21, 2018, 3:38 PM

Good call and will test that. A is actually using a ramdisk of 120M and the other one is using no ramdisk at all. This was a difference I hadn't seen. No actual recollection of what and why this configuraiton is like that.

tsmalmbe · Dec 21, 2018, 4:53 PM

This was it. What a simple solution for once.

bmeeks · Dec 21, 2018, 8:25 PM

@tsmalmbe said in Snort: Two firewalls, missing a lot of rules although similar configuration/setup (Solved):

This was it. What a simple solution for once.

Glad you got it sorted out. Snort or Suricata and RAM disks are not good matches. I always recommend no RAM disk when running either of those two packages.