Snort Error Bogon Rules
-
On my SG-3100 I get this error everytime SNORT rules are reloaded or the device reboots, or any firewall rule change that requires a refresh.
Snort Ver: 3.2.9.11There were error(s) loading the rules: /tmp/rules.debug:28: cannot define table bogonsv6: Cannot allocate memory
-
There were error(s) loading the rules: /tmp/rules.debug:20: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [20]: table <bogonsv6> persist file "/etc/bogonsv6"
@ 2020-04-30 19:35:43 -
I have been experiencing the same issue with my 3100 since I upgraded it to 2.45 There are a few threads suggesting to up the Firewall maximum table entries however these changes did not work for me. Recently I read that this is a reported issue. I am ignoring the errors now, and hope that an update fixes the issue.
-
@amarcino i tried to increase the table entries also, didnt resolve the issue
-
I think I had a similar problem in an earlier pfSense version. The problem is, that probably also the rules that would come after that don't load?
What you can try is to disable "Block bogon networks" in the interface settings of your WAN interfaces (and other interfaces, but I believe it's by default only enabled for WAN interfaces). I just saw that I still have it disabled, probably still from the issues I had back then.
-
@HG said in Snort Error Bogon Rules:
I think I had a similar problem in an earlier pfSense version. The problem is, that probably also the rules that would come after that don't load?
What you can try is to disable "Block bogon networks" in the interface settings of your WAN interfaces (and other interfaces, but I believe it's by default only enabled for WAN interfaces). I just saw that I still have it disabled, probably still from the issues I had back then.
there is a lot of chatter using bogon networks on my WAN so i need those blocked, the rules do load eventually but you are right that sometimes they dont load at all
-
@styxl Are you using ramdisks on your SG-3100?
How much kmem do you have available (Diagnostics -> command prompt -> execute shell command "sysctl vm.kmem_map_free")
I had one system where I saw this issue, I had my ramdisks set to use too much kernel memory, not leaving enough for the bogonsv6 reload. Seems to take 16MB - 34MB on my system to reload.
This was on 2.4.5-p1 so the max table size was already increased by default to 400K, changing that had no effect for me. But freeing up kmem did help.
Josh
-
i am not using RamDisk, its very weird but the issue disappers and shows up again after weeks....
[2.4.5-RELEASE][papatee@Crier.local]/root: sysctl vm.kmem_map_free
vm.kmem_map_free: 206639104 -
What max table size value are you actually using? Do you have a lot of large tables loaded in pfBlocker or Snort?
-
Max Table Value is set at "2000000", no large tables in SNORT
-
Hmm, you are hitting this: https://redmine.pfsense.org/issues/10310
I'm not sure we've seen that on a 3100 before though. 2GB of RAM is usually sufficient.
As it says there though this is not actually due to exhausting the table size but in fact some other memory limit. I would set that back to the default 400K if it made no difference increasing it.Steve
-
@stephenw10 sure, will give 400K a try and see. Thanks
