snort started... or has it?
-
Hello.
using pfSense 2.4.5 and snort 3.2.9.10_2 on a Zotac mini PC with i5-4570T CPU, 4GB RAM and 128GB SSD.
Disk usage is:
/ 1% of 113GiB - zfs /zroot 0% of 112GiB - zfs /tmp 0% of 124MiB - ufs in RAM /var 18% of 124MiB - ufs in RAM
A day or so ago, snort died. No reason shown in the system log (newest entry first):
Mar 28 11:26:36 snort 65010 Run time for packet processing was 58944.841660 seconds Mar 28 11:26:36 snort 65010 =============================================================================== Mar 28 11:26:35 snort 65010 *** Caught Term-Signal Mar 28 11:26:34 SnortStartup 6347 Snort STOP for WAN(5312_re0)... Mar 28 11:25:40 snort 65010 [122:22:1] (portscan) UDP Filtered Decoy Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 156.154.64.91 -> 192.168.1.2 Mar 28 11:25:26 snort 65010 [122:22:1] (portscan) UDP Filtered Decoy Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 108.18.36.200 -> 192.168.1.2
This morning, I noticed the snort service wasn't shown in the pfSense services list. Hmm... so, I reinstalled snort, and saw quite a few errors during installation starting with:
Downloading emerging.rules.tar.gz... done. Installing Snort Subscriber ruleset...rules/browser-plugins.rules: Write failed rules/browser-webkit.rules: Write failed rules/deleted.rules: Write failed rules/dns.rules: Write to restore size failed rules/dos.rules: Write to restore size failed
This ended with an apparently successful reinstall.
I checked the status of snort on the main dashboard - looks fine.
So I check the snort status page for the wan interface - the icon that would normally be green 'go' or a red 'stop' is a blue wheel going round and round.
The system logs show snort got as far as this before hanging (newest entry first):
Mar 30 06:17:48 snort 78342 Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-other.so... Mar 30 06:17:48 snort 78342 done Mar 30 06:17:48 snort 78342 Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-executable.so... Mar 30 06:17:48 snort 78342 Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... Mar 30 06:17:48 snort 78342 Finished Loading all dynamic engine libs from /usr/local/lib/snort_dynamicengine
So, I uninstalled snort, then ran:
rm -rf /var/db/snort
Then rebooted and installed snort again. Same problems.
I'm not sure what to do now. Help!
Thank you.
-
@JonSmizza:
I have posted this until I am almost blue in the face, but I will say it once more.DO NOT use RAM disks for Snort or Suricata. Users typically never allocate enough space on the RAM disk. You need a minimum of 512 MB in
/tmp
for successful rules downloads and extraction, and probably double or triple that in/var
in order to hold the logs.Just please don't use RAM disks with the IDS/IPS packages. Remove those RAM disks and put those directories back on a physical disk and I bet all of your Snort issues go way.
The amount of "free space" you see on the Dashboard Widget on your RAM disks is not accurate for the period of time when Snort is trying to download and extract the rules. Snort cleans up after the rules update, whether the update was successful or not. So the fact you see free space on the Dashboard Widget means nothing unless you happen to be watching and refreshing the view during the exact interval Snort is attempting to download and extract the rules tarball. Check the pfSense system log during that time interval and I bet you will find some "out of space" errors for those RAM disks.
-
@bmeeks said in snort started... or has it?:
Just please don't use RAM disks with the IDS/IPS packages. Remove those RAM disks and put those directories back on a physical disk and I bet all of your Snort issues go way.
Thank you @bmeeks. I was actually wondering if my RAM disks were the issue. I originally started with larger allocations, then reduced them. Which would explain why I was unable to reinstall snort.
I've disabled the RAM disks, rebooted, reinstalled snort and now everything is fine.
Cheers!
-
@JonSmizza said in snort started... or has it?:
@bmeeks said in snort started... or has it?:
Just please don't use RAM disks with the IDS/IPS packages. Remove those RAM disks and put those directories back on a physical disk and I bet all of your Snort issues go way.
Thank you @bmeeks. I was actually wondering if my RAM disks were the issue. I originally started with larger allocations, then reduced them. Which would explain why I was unable to reinstall snort.
I've disabled the RAM disks, rebooted, reinstalled snort and now everything is fine.
Cheers!
Glad you got everything back up ...
. Please help me spread the word, "No RAM disks when using Snort or Suricata!".