Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort reload/restart

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dialsc
      last edited by

      Hi

      I'm totally new to pfsense and snort but got it set up and running, so far so good. What I found is when ever I e.g. add a specific rule to the supress list from the snort alerts UI, the process is getting stopped and does not start by its own afterwards so I have to start it manually. Is this normal/by design or is there anything I'm missing?

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @dialsc
        last edited by

        @dialsc said in Snort reload/restart:

        Hi

        I'm totally new to pfsense and snort but got it set up and running, so far so good. What I found is when ever I e.g. add a specific rule to the supress list from the snort alerts UI, the process is getting stopped and does not start by its own afterwards so I have to start it manually. Is this normal/by design or is there anything I'm missing?

        It should not stop. Have you looked in the system log to see what, if any, error messages might be showing up?

        1 Reply Last reply Reply Quote 0
        • D
          dialsc
          last edited by

          Thank you very much for your answer.

          I can see this kind of behaviour on two independend pfsense installations. As soon as I click the "add to suppress list" cross button the logs start showing:

          Jul 18 13:05:41 pfSense check_reload_status: Syncing firewall
          Jul 18 13:05:41 pfSense php-fpm[342]: /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for WAN_LAN_BRIDGE(bridge0)...
          Jul 18 13:05:41 pfSense php-fpm[342]: /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for WAN_LAN_BRIDGE(bridge0)...
          Jul 18 13:05:41 pfSense snort[40340]:
          Jul 18 13:05:41 pfSense snort[40340]:         --== Reloading Snort ==--
          Jul 18 13:05:41 pfSense snort[40340]:
          Jul 18 13:05:41 pfSense snort[40340]: PortVar 'DNS_PORTS' defined :
          Jul 18 13:05:41 pfSense snort[40340]:  [ 53 ]
          .
          .
          .
          

          Followed by this snipe after a lot of other log entries:

          Jul 18 13:05:41 pfSense snort[40340]: PortVar 'GTP_PORTS' defined :
          Jul 18 13:05:41 pfSense snort[40340]:  [ 2123 2152 3386 ]
          Jul 18 13:05:41 pfSense snort[40340]:
          Jul 18 13:05:41 pfSense snort[40340]: Detection:
          Jul 18 13:05:41 pfSense snort[40340]:    Search-Method = AC-BNFA
          Jul 18 13:05:41 pfSense snort[40340]:     Maximum pattern length = 20
          Jul 18 13:05:41 pfSense snort[40340]:     Search-Method-Optimizations = enabled
          Jul 18 13:05:42 pfSense snort[40340]: Found pid path directive (/var/run)
          Jul 18 13:05:42 pfSense snort[40340]: Snort Reload: Any change to the dynamic preprocessor configuration requires a restart.
          Jul 18 13:05:42 pfSense snort[40340]:
          Jul 18 13:05:42 pfSense snort[40340]: ***** Restarting Snort *****
          Jul 18 13:05:42 pfSense snort[40340]:
          Jul 18 13:05:43 pfSense snort[40340]: ===============================================================================
          Jul 18 13:05:43 pfSense snort[40340]: Run time for packet processing was 24959.737680 seconds
          Jul 18 13:05:43 pfSense snort[40340]: Snort processed 3523987 packets.
          Jul 18 13:05:43 pfSense snort[40340]: Snort ran for 0 days 6 hours 55 minutes 59 seconds
          Jul 18 13:05:43 pfSense snort[40340]:     Pkts/hr:       587331
          Jul 18 13:05:43 pfSense snort[40340]:    Pkts/min:         8491
          Jul 18 13:05:43 pfSense snort[40340]:    Pkts/sec:          141
          Jul 18 13:05:43 pfSense snort[40340]: ===============================================================================
          .
          .
          .
          

          Towards the end it reaches the following state:

          Jul 18 13:05:43 pfSense snort[40340]: ===============================================================================
          Jul 18 13:05:43 pfSense snort[40340]: Application Identification Preprocessor:
          Jul 18 13:05:43 pfSense snort[40340]:    Total packets received : 2831032
          Jul 18 13:05:43 pfSense snort[40340]:   Total packets processed : 2715732
          Jul 18 13:05:43 pfSense snort[40340]:     Total packets ignored : 115300
          Jul 18 13:05:43 pfSense snort[40340]: ===============================================================================
          Jul 18 13:05:43 pfSense snort[40340]: +-----------------------[filtered events]--------------------------------------
          Jul 18 13:05:43 pfSense snort[40340]: | gen-id=1      sig-id=2011716    type=Limit     tracking=src count=5   seconds=120 filtered=72
          .
          .
          .
          Jul 18 13:05:43 pfSense snort[40340]: | gen-id=122    sig-id=21         type=Suppress  tracking=src-ip=<list>           filtered=1
          

          Then it just stops dumping information into the system.log log file and snort is stopped at the interface while Barnyard2 is still running.

          As I mentioned above this is exactly the same behaviour as I see it on another box running snort on top of pfsense.

          These are the details about the environment:

          • pfsense version -> 2.4.4-RELEASE-p3
          • snort version -> 3.2.9.8_6
          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Is the other box also configured with a bridge interface? That configuration is not something I have ever tested with the Snort package on pfSense.

            1 Reply Last reply Reply Quote 0
            • D
              dialsc
              last edited by

              No, it is not. Just two "ordinary" interfaces -> WAN & LAN.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.