Snort suppress list - manual start of interface?

slu

Hi,

why I need to start the snort intarface manuel as soon I
add a rule to the suppress list?

Is this normal or something wrong in my config?

Thanks.

Samuel

bmeeks

You should not have to restart Snort. Look in the system log for pfSense and see if any error messages are being logged from the Snort binary. I assume you mean you are adding a rule to the suppress list from the ALERTS tab by clicking on the appropriate icon.

slu

@bmeeks said in Snort suppress list - manual start of interface?:

I assume you mean you are adding a rule to the suppress list from the ALERTS tab by clicking on the appropriate icon.

Yes thats what i mean.

Oct 22 16:45:21         kernel                 igb4: promiscuous mode disabled
Oct 22 16:45:20         snort         81276         Snort Reload: Any change to the dynamic preprocessor configuration requires a restart.
Oct 22 16:45:19         php-fpm                 /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for LAN(igb4)...
Oct 22 16:45:19         php-fpm                 /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for LAN(igb4)...
Oct 22 16:45:19         check_reload_status                 Syncing firewall

Any idea?

bmeeks

For some reason it seems to think a dynamic preprocessor is being changed/updated. That should not be happening just adding a suppress rule and reloading the configuration.

I will need to spin up a Snort instance in my test virtual machine and see if I can reproduce. Give me a day or two to check it out and I will post back with the results.

slu

@bmeeks said in Snort suppress list - manual start of interface?:

For some reason it seems to think a dynamic preprocessor is being changed/updated. That should not be happening just adding a suppress rule and reloading the configuration.

Maybe issue with the igb driver?
I have two pfSense machines on SuperMicro board with Xeon CPU, both show the same issue.

Or something in my config?

I will need to spin up a Snort instance in my test virtual machine and see if I can reproduce. Give me a day or two to check it out and I will post back with the results.

No problem, thank you for looking into this.

bmeeks

No, this would not be a driver thing. It might be a software bug in either the Snort binary or something in the GUI wrapper package. I will check it out.

slu

Did you find something?

bmeeks

@slu said in Snort suppress list - manual start of interface?:

Did you find something?

Not yet. Been tied up with other things.

bmeeks

I found this bug and it will be fixed in the upcoming release of Snort-3.2.9.10 for pfSense-2.4.4_p3. Look for an updated package in the next few days. The new package will also update the Snort binary to version 2.9.15.

slu

@bmeeks

Thank you very much.