Snort suppress list - manual start of interface?



  • Hi,

    why I need to start the snort intarface manuel as soon I
    add a rule to the suppress list?

    Is this normal or something wrong in my config?

    Thanks.

    Samuel



  • You should not have to restart Snort. Look in the system log for pfSense and see if any error messages are being logged from the Snort binary. I assume you mean you are adding a rule to the suppress list from the ALERTS tab by clicking on the appropriate icon.



  • @bmeeks said in Snort suppress list - manual start of interface?:

    I assume you mean you are adding a rule to the suppress list from the ALERTS tab by clicking on the appropriate icon.

    Yes thats what i mean.

    Oct 22 16:45:21         kernel                 igb4: promiscuous mode disabled
    Oct 22 16:45:20         snort         81276         Snort Reload: Any change to the dynamic preprocessor configuration requires a restart.
    Oct 22 16:45:19         php-fpm                 /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for LAN(igb4)...
    Oct 22 16:45:19         php-fpm                 /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for LAN(igb4)...
    Oct 22 16:45:19         check_reload_status                 Syncing firewall
    

    Any idea?



  • For some reason it seems to think a dynamic preprocessor is being changed/updated. That should not be happening just adding a suppress rule and reloading the configuration.

    I will need to spin up a Snort instance in my test virtual machine and see if I can reproduce. Give me a day or two to check it out and I will post back with the results.



  • @bmeeks said in Snort suppress list - manual start of interface?:

    For some reason it seems to think a dynamic preprocessor is being changed/updated. That should not be happening just adding a suppress rule and reloading the configuration.

    Maybe issue with the igb driver?
    I have two pfSense machines on SuperMicro board with Xeon CPU, both show the same issue.

    Or something in my config?

    I will need to spin up a Snort instance in my test virtual machine and see if I can reproduce. Give me a day or two to check it out and I will post back with the results.

    No problem, thank you for looking into this.



  • No, this would not be a driver thing. It might be a software bug in either the Snort binary or something in the GUI wrapper package. I will check it out.



  • Did you find something?



  • @slu said in Snort suppress list - manual start of interface?:

    Did you find something?

    Not yet. Been tied up with other things.



  • I found this bug and it will be fixed in the upcoming release of Snort-3.2.9.10 for pfSense-2.4.4_p3. Look for an updated package in the next few days. The new package will also update the Snort binary to version 2.9.15.



  • @bmeeks

    Thank you very much.


Log in to reply