WAN interface keeps dropping out of snort
-
I'm not sure why. It just keeps dropping out like someone deleted it from snort. It takes like a day, and then suddenly it's gone. Anyone else experiencing this?
-
@zermus said in WAN interface keeps dropping out of snort:
I'm not sure why. It just keeps dropping out like someone deleted it from snort. It takes like a day, and then suddenly it's gone. Anyone else experiencing this?
The only two scenarios I can imagine where this could happen is either you have something restoring an old config on some periodic basis, or you have some weird HA/SYNC stuff going on where the master configuration is different from the slave configuration and the master is overwriting the slave during the HA/SYNC. All of the Snort configuration is stored within the firewall's
config.xml
file.Well, I guess a potential third option is your firewall is haunted ... .... or it has actual demons instead of daemons.
-
I think it was somehow being overloaded with overzealous Snort rules. This has never really been a problem in the past because it is decent hardware. I tuned the snort rules back and it seems to have stablized the WAN interface from dropping out.
Anyhow, I vote demons inside my daemons. :)
-
@zermus said in WAN interface keeps dropping out of snort:
I think it was somehow being overloaded with overzealous Snort rules. This has never really been a problem in the past because it is decent hardware. I tuned the snort rules back and it seems to have stablized the WAN interface from dropping out.
Anyhow, I vote demons inside my daemons. :)
There is no conceivable way I can imagine for Snort to delete a configured interface because of CPU loading. If by "dropping out" and "like someone deleted it" you mean the interface physically disappears from the INTERFACE SETTINGS tab, then that just can't happen due to too many rules. Something else more like I described would have to cause that.
Now if you instead mean the WAN interface temporarily goes down and then comes back on its own, then maybe ... but even there I'm not sure how that could happen just because of rules loads.
-
Years of using pfSense I would normally tend to agree with you, but that's the case. Under Snort Interfaces, if I use a heavy ruleset, it just somehow deletes itself out. There is no HA/Sync in this setup, it's a standalone box. The interface doesn't PHYSICALLY DISAPPEAR of course (I'm literally imagining a ghost going in and stealing my Intel NIC out of the box here), but it's dropping out of Snort Interfaces, exactly like someone goes in and deletes the WAN interface from Snort where I have to re-set it all back up again.
The only correlation I can find is using a heavy rulset, which in the past was never a problem up until recently. I'm not sure how recent because I just noticed my WAN interface was missing about a week ago when I normally never had a need to go in there and check it.
I'm not sure how it would resort to a previous config, because when I set this box up about 2 years ago, setting up Snort on the WAN/LAN was one of the first things I did.
-
@zermus said in WAN interface keeps dropping out of snort:
Years of using pfSense I would normally tend to agree with you, but that's the case. Under Snort Interfaces, if I use a heavy ruleset, it just somehow deletes itself out. There is no HA/Sync in this setup, it's a standalone box. The interface doesn't PHYSICALLY DISAPPEAR of course (I'm literally imagining a ghost going in and stealing my Intel NIC out of the box here), but it's dropping out of Snort Interfaces, exactly like someone goes in and deletes the WAN interface from Snort where I have to re-set it all back up again.
The only correlation I can find is using a heavy rulset, which in the past was never a problem up until recently. I'm not sure how recent because I just noticed my WAN interface was missing about a week ago when I normally never had a need to go in there and check it.
I'm not sure how it would resort to a previous config, because when I set this box up about 2 years ago, setting up Snort on the WAN/LAN was one of the first things I did.
I'm not disputing what you are seeing, but I see absolutely no failure mechanism of any kind within the GUI PHP code that could result in a Snort interface being deleted. Deleting an interface requires a manual action. Go to DIAGNOSTICS > BACKUP AND RESTORE in the pfSense menu and then click the Config History tab. Examine the history closely to see what you find. When Snort deletes an interface via user action, it logs a message in the config history. The only part of the PHP GUI code that can delete an interface resides within the INTERFACE SETTINGS tab, and that code will always log a config history message as well as log a message in the pfSense system log when it removes an interface.