Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    snort started... or has it?

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 212 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JonSmizza
      last edited by JonSmizza

      Hello.

      using pfSense 2.4.5 and snort 3.2.9.10_2 on a Zotac mini PC with i5-4570T CPU, 4GB RAM and 128GB SSD.

      Disk usage is:

      /      1%  of 113GiB - zfs
      /zroot 0%  of 112GiB - zfs
      /tmp   0%  of 124MiB - ufs in RAM
      /var   18% of 124MiB - ufs in RAM
      

      A day or so ago, snort died. No reason shown in the system log (newest entry first):

      Mar 28 11:26:36 	snort 	65010 	Run time for packet processing was 58944.841660 seconds
      Mar 28 11:26:36 	snort 	65010 	===============================================================================
      Mar 28 11:26:35 	snort 	65010 	*** Caught Term-Signal
      Mar 28 11:26:34 	SnortStartup 	6347 	Snort STOP for WAN(5312_re0)...
      Mar 28 11:25:40 	snort 	65010 	[122:22:1] (portscan) UDP Filtered Decoy Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 156.154.64.91 -> 192.168.1.2
      Mar 28 11:25:26 	snort 	65010 	[122:22:1] (portscan) UDP Filtered Decoy Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 108.18.36.200 -> 192.168.1.2
      

      This morning, I noticed the snort service wasn't shown in the pfSense services list. Hmm... so, I reinstalled snort, and saw quite a few errors during installation starting with:

      Downloading emerging.rules.tar.gz... done.
      Installing Snort Subscriber ruleset...rules/browser-plugins.rules: Write failed
      rules/browser-webkit.rules: Write failed
      rules/deleted.rules: Write failed
      rules/dns.rules: Write to restore size failed
      rules/dos.rules: Write to restore size failed
      

      This ended with an apparently successful reinstall.

      I checked the status of snort on the main dashboard - looks fine.

      So I check the snort status page for the wan interface - the icon that would normally be green 'go' or a red 'stop' is a blue wheel going round and round.

      The system logs show snort got as far as this before hanging (newest entry first):

      Mar 30 06:17:48 	snort 	78342 	Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-other.so...
      Mar 30 06:17:48 	snort 	78342 	done
      Mar 30 06:17:48 	snort 	78342 	Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-executable.so...
      Mar 30 06:17:48 	snort 	78342 	Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
      Mar 30 06:17:48 	snort 	78342 	Finished Loading all dynamic engine libs from /usr/local/lib/snort_dynamicengine
      

      So, I uninstalled snort, then ran:

      rm -rf /var/db/snort
      

      Then rebooted and installed snort again. Same problems.

      I'm not sure what to do now. Help!

      Thank you.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        @JonSmizza:
        I have posted this until I am almost blue in the face, but I will say it once more.

        DO NOT use RAM disks for Snort or Suricata. Users typically never allocate enough space on the RAM disk. You need a minimum of 512 MB in /tmp for successful rules downloads and extraction, and probably double or triple that in /var in order to hold the logs.

        Just please don't use RAM disks with the IDS/IPS packages. Remove those RAM disks and put those directories back on a physical disk and I bet all of your Snort issues go way.

        The amount of "free space" you see on the Dashboard Widget on your RAM disks is not accurate for the period of time when Snort is trying to download and extract the rules. Snort cleans up after the rules update, whether the update was successful or not. So the fact you see free space on the Dashboard Widget means nothing unless you happen to be watching and refreshing the view during the exact interval Snort is attempting to download and extract the rules tarball. Check the pfSense system log during that time interval and I bet you will find some "out of space" errors for those RAM disks.

        J 1 Reply Last reply Reply Quote 1
        • J
          JonSmizza @bmeeks
          last edited by JonSmizza

          @bmeeks said in snort started... or has it?:

          Just please don't use RAM disks with the IDS/IPS packages. Remove those RAM disks and put those directories back on a physical disk and I bet all of your Snort issues go way.

          Thank you @bmeeks. I was actually wondering if my RAM disks were the issue. I originally started with larger allocations, then reduced them. Which would explain why I was unable to reinstall snort.

          I've disabled the RAM disks, rebooted, reinstalled snort and now everything is fine.

          Cheers!

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @JonSmizza
            last edited by

            @JonSmizza said in snort started... or has it?:

            @bmeeks said in snort started... or has it?:

            Just please don't use RAM disks with the IDS/IPS packages. Remove those RAM disks and put those directories back on a physical disk and I bet all of your Snort issues go way.

            Thank you @bmeeks. I was actually wondering if my RAM disks were the issue. I originally started with larger allocations, then reduced them. Which would explain why I was unable to reinstall snort.

            I've disabled the RAM disks, rebooted, reinstalled snort and now everything is fine.

            Cheers!

            Glad you got everything back up ... 👍 . Please help me spread the word, "No RAM disks when using Snort or Suricata!".

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.