4. Snort suppress list - manual start of interface?

Snort suppress list - manual start of interface?

  • S

    Hi,

    why I need to start the snort intarface manuel as soon I
    add a rule to the suppress list?

    Is this normal or something wrong in my config?

    Thanks.

    Samuel

    0

  • You should not have to restart Snort. Look in the system log for pfSense and see if any error messages are being logged from the Snort binary. I assume you mean you are adding a rule to the suppress list from the ALERTS tab by clicking on the appropriate icon.

    0
    S
     1 Reply
  • S

    @bmeeks said in Snort suppress list - manual start of interface?:

    I assume you mean you are adding a rule to the suppress list from the ALERTS tab by clicking on the appropriate icon.

    Yes thats what i mean.

    Oct 22 16:45:21         kernel                 igb4: promiscuous mode disabled
Oct 22 16:45:20         snort         81276         Snort Reload: Any change to the dynamic preprocessor configuration requires a restart.
Oct 22 16:45:19         php-fpm                 /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for LAN(igb4)...
Oct 22 16:45:19         php-fpm                 /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for LAN(igb4)...
Oct 22 16:45:19         check_reload_status                 Syncing firewall

    Any idea?

    0

  • For some reason it seems to think a dynamic preprocessor is being changed/updated. That should not be happening just adding a suppress rule and reloading the configuration.

    I will need to spin up a Snort instance in my test virtual machine and see if I can reproduce. Give me a day or two to check it out and I will post back with the results.

    0
    S
     1 Reply
  • S

    @bmeeks said in Snort suppress list - manual start of interface?:

    For some reason it seems to think a dynamic preprocessor is being changed/updated. That should not be happening just adding a suppress rule and reloading the configuration.

    Maybe issue with the igb driver?
    I have two pfSense machines on SuperMicro board with Xeon CPU, both show the same issue.

    Or something in my config?

    I will need to spin up a Snort instance in my test virtual machine and see if I can reproduce. Give me a day or two to check it out and I will post back with the results.

    No problem, thank you for looking into this.

    0

  • No, this would not be a driver thing. It might be a software bug in either the Snort binary or something in the GUI wrapper package. I will check it out.

    0
  • S

    Did you find something?

    0 1 Reply

  • @slu said in Snort suppress list - manual start of interface?:

    Did you find something?

    Not yet. Been tied up with other things.

    0

  • I found this bug and it will be fixed in the upcoming release of Snort-3.2.9.10 for pfSense-2.4.4_p3. Look for an updated package in the next few days. The new package will also update the Snort binary to version 2.9.15.

    1
    S
     1 Reply
  • S

    @bmeeks

    Thank you very much.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy