Snort suppress list - manual start of interface?
-
Hi,
why I need to start the snort intarface manuel as soon I
add a rule to the suppress list?Is this normal or something wrong in my config?
Thanks.
Samuel
-
You should not have to restart Snort. Look in the system log for pfSense and see if any error messages are being logged from the Snort binary. I assume you mean you are adding a rule to the suppress list from the ALERTS tab by clicking on the appropriate icon.
-
@bmeeks said in Snort suppress list - manual start of interface?:
I assume you mean you are adding a rule to the suppress list from the ALERTS tab by clicking on the appropriate icon.
Yes thats what i mean.
Oct 22 16:45:21 kernel igb4: promiscuous mode disabled Oct 22 16:45:20 snort 81276 Snort Reload: Any change to the dynamic preprocessor configuration requires a restart. Oct 22 16:45:19 php-fpm /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for LAN(igb4)... Oct 22 16:45:19 php-fpm /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for LAN(igb4)... Oct 22 16:45:19 check_reload_status Syncing firewall
Any idea?
-
For some reason it seems to think a dynamic preprocessor is being changed/updated. That should not be happening just adding a suppress rule and reloading the configuration.
I will need to spin up a Snort instance in my test virtual machine and see if I can reproduce. Give me a day or two to check it out and I will post back with the results.
-
@bmeeks said in Snort suppress list - manual start of interface?:
For some reason it seems to think a dynamic preprocessor is being changed/updated. That should not be happening just adding a suppress rule and reloading the configuration.
Maybe issue with the igb driver?
I have two pfSense machines on SuperMicro board with Xeon CPU, both show the same issue.Or something in my config?
I will need to spin up a Snort instance in my test virtual machine and see if I can reproduce. Give me a day or two to check it out and I will post back with the results.
No problem, thank you for looking into this.
-
No, this would not be a driver thing. It might be a software bug in either the Snort binary or something in the GUI wrapper package. I will check it out.
-
Did you find something?
-
@slu said in Snort suppress list - manual start of interface?:
Did you find something?
Not yet. Been tied up with other things.
-
I found this bug and it will be fixed in the upcoming release of Snort-3.2.9.10 for pfSense-2.4.4_p3. Look for an updated package in the next few days. The new package will also update the Snort binary to version 2.9.15.
-
Thank you very much.