1. Home
  2. pfSense Packages
  3. IDS/IPS
  4. Snort reload/restart

Snort reload/restart

  • D

    Hi

    I'm totally new to pfsense and snort but got it set up and running, so far so good. What I found is when ever I e.g. add a specific rule to the supress list from the snort alerts UI, the process is getting stopped and does not start by its own afterwards so I have to start it manually. Is this normal/by design or is there anything I'm missing?

    0 bmeeks 1 Reply
  • bmeeks

    @dialsc said in Snort reload/restart:

    Hi

    I'm totally new to pfsense and snort but got it set up and running, so far so good. What I found is when ever I e.g. add a specific rule to the supress list from the snort alerts UI, the process is getting stopped and does not start by its own afterwards so I have to start it manually. Is this normal/by design or is there anything I'm missing?

    It should not stop. Have you looked in the system log to see what, if any, error messages might be showing up?

    0
  • D

    Thank you very much for your answer.

    I can see this kind of behaviour on two independend pfsense installations. As soon as I click the "add to suppress list" cross button the logs start showing:

    Jul 18 13:05:41 pfSense check_reload_status: Syncing firewall
Jul 18 13:05:41 pfSense php-fpm[342]: /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for WAN_LAN_BRIDGE(bridge0)...
Jul 18 13:05:41 pfSense php-fpm[342]: /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for WAN_LAN_BRIDGE(bridge0)...
Jul 18 13:05:41 pfSense snort[40340]:
Jul 18 13:05:41 pfSense snort[40340]:         --== Reloading Snort ==--
Jul 18 13:05:41 pfSense snort[40340]:
Jul 18 13:05:41 pfSense snort[40340]: PortVar 'DNS_PORTS' defined :
Jul 18 13:05:41 pfSense snort[40340]:  [ 53 ]
.
.
.

    Followed by this snipe after a lot of other log entries:

    Jul 18 13:05:41 pfSense snort[40340]: PortVar 'GTP_PORTS' defined :
Jul 18 13:05:41 pfSense snort[40340]:  [ 2123 2152 3386 ]
Jul 18 13:05:41 pfSense snort[40340]:
Jul 18 13:05:41 pfSense snort[40340]: Detection:
Jul 18 13:05:41 pfSense snort[40340]:    Search-Method = AC-BNFA
Jul 18 13:05:41 pfSense snort[40340]:     Maximum pattern length = 20
Jul 18 13:05:41 pfSense snort[40340]:     Search-Method-Optimizations = enabled
Jul 18 13:05:42 pfSense snort[40340]: Found pid path directive (/var/run)
Jul 18 13:05:42 pfSense snort[40340]: Snort Reload: Any change to the dynamic preprocessor configuration requires a restart.
Jul 18 13:05:42 pfSense snort[40340]:
Jul 18 13:05:42 pfSense snort[40340]: ***** Restarting Snort *****
Jul 18 13:05:42 pfSense snort[40340]:
Jul 18 13:05:43 pfSense snort[40340]: ===============================================================================
Jul 18 13:05:43 pfSense snort[40340]: Run time for packet processing was 24959.737680 seconds
Jul 18 13:05:43 pfSense snort[40340]: Snort processed 3523987 packets.
Jul 18 13:05:43 pfSense snort[40340]: Snort ran for 0 days 6 hours 55 minutes 59 seconds
Jul 18 13:05:43 pfSense snort[40340]:     Pkts/hr:       587331
Jul 18 13:05:43 pfSense snort[40340]:    Pkts/min:         8491
Jul 18 13:05:43 pfSense snort[40340]:    Pkts/sec:          141
Jul 18 13:05:43 pfSense snort[40340]: ===============================================================================
.
.
.

    Towards the end it reaches the following state:

    Jul 18 13:05:43 pfSense snort[40340]: ===============================================================================
Jul 18 13:05:43 pfSense snort[40340]: Application Identification Preprocessor:
Jul 18 13:05:43 pfSense snort[40340]:    Total packets received : 2831032
Jul 18 13:05:43 pfSense snort[40340]:   Total packets processed : 2715732
Jul 18 13:05:43 pfSense snort[40340]:     Total packets ignored : 115300
Jul 18 13:05:43 pfSense snort[40340]: ===============================================================================
Jul 18 13:05:43 pfSense snort[40340]: +-----------------------[filtered events]--------------------------------------
Jul 18 13:05:43 pfSense snort[40340]: | gen-id=1      sig-id=2011716    type=Limit     tracking=src count=5   seconds=120 filtered=72
.
.
.
Jul 18 13:05:43 pfSense snort[40340]: | gen-id=122    sig-id=21         type=Suppress  tracking=src-ip=<list>           filtered=1

    Then it just stops dumping information into the system.log log file and snort is stopped at the interface while Barnyard2 is still running.

    As I mentioned above this is exactly the same behaviour as I see it on another box running snort on top of pfsense.

    These are the details about the environment:

    • pfsense version -> 2.4.4-RELEASE-p3
    • snort version -> 3.2.9.8_6
    0
  • bmeeks

    Is the other box also configured with a bridge interface? That configuration is not something I have ever tested with the Snort package on pfSense.

    0
  • D

    No, it is not. Just two "ordinary" interfaces -> WAN & LAN.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy