Snort Rules in pfsense always failed



  • InkedScreenshot_2019-10-22 pfSense localdomain - Services Snort Global Settings_LI.jpg
    that's is my global setting
    9d053352-5f34-4d2f-ae71-534d56a3f49b-image.png
    that's my interface setting.
    my question is when i want to uupdate my snort rules it always failed, when i try with the latest it failed again.colored text



  • First of all, you really should not post your Oinkcode to a public site. That is your private subscription code.

    You need to look in the pfSense system log (STATUS > SYSTEM LOG) to see what error messages are printed while Snort is attempting to start. It will generally tell you what is wrong by logging a message in the pfSense system log.

    What happens when you click on the Start icon on the INTERFACES tab? Try clicking that icon. You should see the status icon change to a spinning gear and then either change to a green check or change back to the red X. If you get the red X, then immediately look in the pfSense system log and review any logged messages relating to Snort.

    Post back here with your results.



  • @bmeeks
    a18e9905-9d96-4dcd-99ff-4b3a1b4c07c3-image.png
    that's mys systemlog



  • Not that it really should matter in terms of starting up, but you apparently have no rules selected for your LAN interface. That means Snort would not be really doing anything for you even if it started. At 10:11:19 in the log is a warning about "no text rules or IPS Policy selected for: LAN".

    Your Snort Subscriber Rules are also failing to download. Notice the "Server returned error code 505" message in the log at 10:10:28. The most likely cause of that is a trailing space in your Oinkcode. Retype or paste in your Oinkcode again and be sure that is no trailing space at the end and that every character is correct.

    So from the log, Snort appears to have started successfully. Does it still not show as running?

    Open a CLI (command line interface) session on the firewall either directly on the console or via an SSH connection and see what the output of this command is --

    ps -ax | grep snort
    

    Do you see any running Snort processes in the output of that command?

    I also see a Gateway Alarm message in the log. If that happens often and if the gateway monitoring logs a "gateway down" message, that will trigger pfSense to issue a "restart all packages" command. If more than one instance of that happens in rapid succession it can result in the Snort process either getting clobbered, or sometimes, two duplicate Snort processes getting started.


Log in to reply