Snort reload/restart



  • Hi

    I'm totally new to pfsense and snort but got it set up and running, so far so good. What I found is when ever I e.g. add a specific rule to the supress list from the snort alerts UI, the process is getting stopped and does not start by its own afterwards so I have to start it manually. Is this normal/by design or is there anything I'm missing?



  • @dialsc said in Snort reload/restart:

    Hi

    I'm totally new to pfsense and snort but got it set up and running, so far so good. What I found is when ever I e.g. add a specific rule to the supress list from the snort alerts UI, the process is getting stopped and does not start by its own afterwards so I have to start it manually. Is this normal/by design or is there anything I'm missing?

    It should not stop. Have you looked in the system log to see what, if any, error messages might be showing up?



  • Thank you very much for your answer.

    I can see this kind of behaviour on two independend pfsense installations. As soon as I click the "add to suppress list" cross button the logs start showing:

    Jul 18 13:05:41 pfSense check_reload_status: Syncing firewall
    Jul 18 13:05:41 pfSense php-fpm[342]: /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for WAN_LAN_BRIDGE(bridge0)...
    Jul 18 13:05:41 pfSense php-fpm[342]: /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for WAN_LAN_BRIDGE(bridge0)...
    Jul 18 13:05:41 pfSense snort[40340]:
    Jul 18 13:05:41 pfSense snort[40340]:         --== Reloading Snort ==--
    Jul 18 13:05:41 pfSense snort[40340]:
    Jul 18 13:05:41 pfSense snort[40340]: PortVar 'DNS_PORTS' defined :
    Jul 18 13:05:41 pfSense snort[40340]:  [ 53 ]
    .
    .
    .
    

    Followed by this snipe after a lot of other log entries:

    Jul 18 13:05:41 pfSense snort[40340]: PortVar 'GTP_PORTS' defined :
    Jul 18 13:05:41 pfSense snort[40340]:  [ 2123 2152 3386 ]
    Jul 18 13:05:41 pfSense snort[40340]:
    Jul 18 13:05:41 pfSense snort[40340]: Detection:
    Jul 18 13:05:41 pfSense snort[40340]:    Search-Method = AC-BNFA
    Jul 18 13:05:41 pfSense snort[40340]:     Maximum pattern length = 20
    Jul 18 13:05:41 pfSense snort[40340]:     Search-Method-Optimizations = enabled
    Jul 18 13:05:42 pfSense snort[40340]: Found pid path directive (/var/run)
    Jul 18 13:05:42 pfSense snort[40340]: Snort Reload: Any change to the dynamic preprocessor configuration requires a restart.
    Jul 18 13:05:42 pfSense snort[40340]:
    Jul 18 13:05:42 pfSense snort[40340]: ***** Restarting Snort *****
    Jul 18 13:05:42 pfSense snort[40340]:
    Jul 18 13:05:43 pfSense snort[40340]: ===============================================================================
    Jul 18 13:05:43 pfSense snort[40340]: Run time for packet processing was 24959.737680 seconds
    Jul 18 13:05:43 pfSense snort[40340]: Snort processed 3523987 packets.
    Jul 18 13:05:43 pfSense snort[40340]: Snort ran for 0 days 6 hours 55 minutes 59 seconds
    Jul 18 13:05:43 pfSense snort[40340]:     Pkts/hr:       587331
    Jul 18 13:05:43 pfSense snort[40340]:    Pkts/min:         8491
    Jul 18 13:05:43 pfSense snort[40340]:    Pkts/sec:          141
    Jul 18 13:05:43 pfSense snort[40340]: ===============================================================================
    .
    .
    .
    

    Towards the end it reaches the following state:

    Jul 18 13:05:43 pfSense snort[40340]: ===============================================================================
    Jul 18 13:05:43 pfSense snort[40340]: Application Identification Preprocessor:
    Jul 18 13:05:43 pfSense snort[40340]:    Total packets received : 2831032
    Jul 18 13:05:43 pfSense snort[40340]:   Total packets processed : 2715732
    Jul 18 13:05:43 pfSense snort[40340]:     Total packets ignored : 115300
    Jul 18 13:05:43 pfSense snort[40340]: ===============================================================================
    Jul 18 13:05:43 pfSense snort[40340]: +-----------------------[filtered events]--------------------------------------
    Jul 18 13:05:43 pfSense snort[40340]: | gen-id=1      sig-id=2011716    type=Limit     tracking=src count=5   seconds=120 filtered=72
    .
    .
    .
    Jul 18 13:05:43 pfSense snort[40340]: | gen-id=122    sig-id=21         type=Suppress  tracking=src-ip=<list>           filtered=1
    

    Then it just stops dumping information into the system.log log file and snort is stopped at the interface while Barnyard2 is still running.

    As I mentioned above this is exactly the same behaviour as I see it on another box running snort on top of pfsense.

    These are the details about the environment:

    • pfsense version -> 2.4.4-RELEASE-p3
    • snort version -> 3.2.9.8_6


  • Is the other box also configured with a bridge interface? That configuration is not something I have ever tested with the Snort package on pfSense.



  • No, it is not. Just two "ordinary" interfaces -> WAN & LAN.


Log in to reply