Enable Performance Stats kills process

markgca

When i check the "enable performance stats' feature on Preproc page of services/snort/interface, the interface restarts but never quite gets there.
Turn that feature off, and it works again

i have several snort instances running on different vlans and they continue to work. i have tried this on several instances, same result

Is this indicative that i need to allocate more space or change some option? i have 24gb of ram, and only about half of that is used.

thanks for any thoughts

bmeeks

@markgca said in Enable Performance Stats kills process:

When i check the "enable performance stats' feature on Preproc page of services/snort/interface, the interface restarts but never quite gets there.
Turn that feature off, and it works again

i have several snort instances running on different vlans and they continue to work. i have tried this on several instances, same result

Is this indicative that i need to allocate more space or change some option? i have 24gb of ram, and only about half of that is used.

thanks for any thoughts

Same request for additional info as from the original thread in General Discussion --

1. What messages, if any, are being logged in the pfSense system log from Snort when attempting to start on the interface where performance stats is not working?

2. When you say you have several Snort instances that continue to work, do you mean they are working with performance stats enabled, or do they also not start when performance stats are enabled?

3. What version of pfSense and Snort are you running?

markgca

@bmeeks

i tried the others with stats enabled, same thing, they wont start
pfsense 2.4.5 on a netgate 7100, snort 3.2.9.11

logs:
May 15 08:18:13 php-fpm 19788 /snort/snort_interfaces.php: [Snort] Snort STOP for VL40_GUEST(lagg0.40)...
May 15 08:18:13 php-fpm 19788 /snort/snort_interfaces.php: Stopping Snort on VL40_GUEST(lagg0.40) per user request...
May 15 08:12:53 php /tmp/snort_lagg0.4064843_startcmd.php: [Snort] Snort START for VL40_GUEST(lagg0.40)...
May 15 08:12:17 php /tmp/snort_lagg0.4064843_startcmd.php: [Snort] Building new sid-msg.map file for VL40_GUEST...
May 15 08:12:16 php /tmp/snort_lagg0.4064843_startcmd.php: [Snort] Enabling any flowbit-required rules for: VL40_GUEST...
May 15 08:12:14 php /tmp/snort_lagg0.4064843_startcmd.php: [Snort] Updating rules configuration for: VL40_GUEST ...
May 15 08:12:00 php-fpm 99193 /snort/snort_interfaces.php: [Snort] Snort STOP for VL40_GUEST(lagg0.40)...
May 15 08:12:00 php-fpm 99193 /snort/snort_interfaces.php: Restarting Snort on VL40_GUEST(lagg0.40) per user request...
May 15 08:02:41 php /tmp/snort_lagg0.4064843_startcmd.php: [Snort] Snort START for VL40_GUEST(lagg0.40)...
May 15 08:02:28 php /tmp/snort_lagg0.4064843_startcmd.php: [Snort] Snort START for VL40_GUEST(lagg0.40)...
May 15 08:02:03 php /tmp/snort_lagg0.4064843_startcmd.php: [Snort] Building new sid-msg.map file for VL40_GUEST...
May 15 08:02:03 php /tmp/snort_lagg0.4064843_startcmd.php: [Snort] Enabling any flowbit-required rules for: VL40_GUEST...
May 15 08:02:00 php /tmp/snort_lagg0.4064843_startcmd.php: [Snort] Updating rules configuration for: VL40_GUEST ...
May 15 08:01:50 php /tmp/snort_lagg0.4064843_startcmd.php: [Snort] Building new sid-msg.map file for VL40_GUEST...
May 15 08:01:49 php /tmp/snort_lagg0.4064843_startcmd.php: [Snort] Enabling any flowbit-required rules for: VL40_GUEST...
May 15 08:01:48 php-fpm 17140 /snort/snort_interfaces.php: Starting Snort on VL40_GUEST(lagg0.40) per user request...
May 15 08:01:47 php /tmp/snort_lagg0.4064843_startcmd.php: [Snort] Updating rules configuration for: VL40_GUEST ...
May 15 08:01:33 php-fpm 83812 /snort/snort_interfaces.php: [Snort] Snort STOP for VL40_GUEST(lagg0.40)...
May 15 08:01:33 php-fpm 83812 /snort/snort_interfaces.php: Restarting Snort on VL40_GUEST(lagg0.40) per user request...

bmeeks

I just tested in a virtual machine I keep for checking out problems users report. I enabled Performance Stats on an interface, saved the change, and then successfully restarted Snort without issue. So it appears to work. That VM is pfSense-2.4.5 with the latest Snort package, v3.2.9.11.

What are all these lines about and what is creating them?

May 15 08:02:41 php /tmp/snort_lagg0.4064843_startcmd.php: [Snort] Snort START for VL40_GUEST(lagg0.40)...

I don't recognize that PHP code from anywhere in the official Snort package. I'm asking about the "/tmp/xxxxx_startcmd.php" part. The existence of those lines indicates someone or something is monkeying with the standard Snort package PHP code.

markgca

@bmeeks thanks for taking the time on this, im lost

no clue as to what those lines are for, the vl40 is a vlan for guests
but pfsense is installed on a zfs disk, and /tmp is one of the drives listed (along with /var, /zroot, and /var/run)
so maybe its just temp space where it runs from? that disk is 0% of 223GB so it isnt a space issue.
even var/run is only 8% full

and no one has physical access except me, and im not aware anyone else has had network access unless hacked, and nothing else to indicate that, but who knows.

what do you suggest? im thinking save the settings, then deinstall and reinstall snort package? maybe its a remnant from a prior version during update that didnt work right?

bmeeks

@markgca said in Enable Performance Stats kills process:

@bmeeks thanks for taking the time on this, im lost

no clue as to what those lines are for, the vl40 is a vlan for guests
but pfsense is installed on a zfs disk, and /tmp is one of the drives listed (along with /var, /zroot, and /var/run)
so maybe its just temp space where it runs from? that disk is 0% of 223GB so it isnt a space issue.
even var/run is only 8% full

and no one has physical access except me, and im not aware anyone else has had network access unless hacked, and nothing else to indicate that, but who knows.

what do you suggest? im thinking save the settings, then deinstall and reinstall snort package? maybe its a remnant from a prior version during update that didnt work right?

The directory name is not the issue. The /tmp directory is a normal construct. What is puzzling me is the snort_lagg0.406843_startcmd.php line. I don't know where that is coming from. I maintain the Snort package for pfSense, and I don't recognize that code.

It certainly will not hurt to remove and then reinstall the package. You won't lose any configuration settings so long as "Keep Snort Settings After Deinstall" is checked on the GLOBAL SETTINGS tab. The default state is "checked".

markgca

@bmeeks ill give it a shot. whatever/whoever changed it wasnt intentional thats for sure.

i'll post after i reinstall and experiment a bit

thanks for the help

bmeeks

@markgca said in Enable Performance Stats kills process:

@bmeeks ill give it a shot. whatever/whoever changed it wasnt intentional thats for sure.

i'll post after i reinstall and experiment a bit

thanks for the help

Okay, false alarm on the "startcmd.php" file. It was something I added to the INTERFACES tab code a while back to make the status icons interactive. I had forgotten about it. I had to do a "grep" search through all of the PHP code to find it, then I remembered adding it ... .

So you are going to the PREPROCESSORS tab, enabling the option for Performance Stats, saving the change on that page and then going to the INTERFACES tab and restarting that Snort instance?

As I said earlier, it is working for me in a virtual machine. You may need to enable verbose logging on the GLOBAL SETTINGS tab and try restarting Snort again. Also, before doing that, go to the System Logs settings and greatly increase the number of displayed entries so that the circular system log does not overwrite the initial entries from Snort.

markgca

@bmeeks thanks for the update

so i think something else is going on.

i find if i add a few more ruleset categories it also wont restart. and if i delete a couple, then i can start the performance stats function.

so it acts like a memory issue of some sort or some table limit

im not familiar with how snort works system wise
i have plenty of system memory (only using about 50% of 24Gb) so it isnt that
but are there any tunables that might need to be adjusted to give me more whatever ?

i just may be running too much stuff (i have 13 instances of snort running, and a few other things)

mark

bmeeks

That is a lot of Snort processes. To answer your question, there are no tuneables of that sort within Snort itself. And the way Snort works on pfSense results in each interface you run it on being a totally separate process without any awareness of the other Snort instances. So any limitations would be within FreeBSD itself.

To see what is going on, I suggest you do what I mentioned earlier. Go to the GLOBAL SETTINGS tab, and down at the bottom of that page, check the box to turn on verbose logging. Then go and attempt a start of an interface that does not normally start with performance stats enabled. After the failure to start (assuming it does fail), then examine the pfSense system log line-by-line to see all the Snort messages. Something may get logged to help you troubleshoot.

Note that pfSense uses a circular binary logging system called clog for the system log. So in order to have plenty of circular buffer space for logging, go to the System Log > Settings tab under STATUS and set the number of lines to display to a very large value like 1000 or perhaps more. Snort will log a lot of information as it starts up.