[Snort] Possible flaw in ET rules and IPS Policy Security

Reply to [Snort] Possible flaw in ET rules and IPS Policy Security on Sun, 28 May 2023 19:54:22 GMT

Dobby_ — Sun, 28 May 2023 19:54:22 GMT

May 27 16:02:49 kernel pid 38637 (snort), jid 0, uid 0, was killed: failed to reclaim memory

May 27 16:02:49 kernel pid 38637 (snort), jid 0, uid 0, was killed: failed to reclaim memory

Can be pointed to the storage space and/or
the amount of ram.

Reply to [Snort] Possible flaw in ET rules and IPS Policy Security on Sun, 28 May 2023 15:16:51 GMT

bmeeks — Sun, 28 May 2023 15:16:51 GMT

@ASGR71 said in [Snort] Possible flaw in ET rules and IPS Policy Security:

I did have Snort setup in the first paragraph, without the problem rule set, running along side pfBlocker without any problems.

That's asking a lot of an SG-1100 with its limited RAM.

When you enable the ET-Trojans rules, what kind of error is logged in the pfSense system log when Snort crashes?

@ASGR71 said in [Snort] Possible flaw in ET rules and IPS Policy Security:

I'll try a factory reset in the near future and see if that makes any difference...

A factory reset is unlikely to make any difference with Snort. In my opinion that will be wasted effort.

Reply to [Snort] Possible flaw in ET rules and IPS Policy Security on Sun, 28 May 2023 04:42:27 GMT

JonathanLee — Sun, 28 May 2023 04:42:27 GMT

You could have too many rules enabled, I learned the hard way you want to only use 50 percent of you memory under no loads, or else the system will start to disable things to free up memory. I use snort ET and subscriber rules with a key for the free version, and that's it plus manual et rules 3Com rules. Anymore for the 4GB memory just boggs it down.

Reply to [Snort] Possible flaw in ET rules and IPS Policy Security on Sat, 27 May 2023 23:20:12 GMT

ASGR71 — Sat, 27 May 2023 23:20:12 GMT

@bmeeks Thanks again B. I'm currently running 'Security' Policy with Snort VRT, Snort GPL, FEODO and 12 other ET rules sets and all is fine. Processor fluctuates between at 9 and 53% and RAM at 76%.

As soon as I enable 'emerging-trojans.rules', with the above, it will eventually fail on next update/reload or manual restart.

For future reference and as a process of elimination, I turned everything off except for Snort VRT to keep the IPS Policy Option and all is running OK. Processor fluctuating between 11 and 52% and RAM 68%

Again, adding 'emerging-trojans.rules' to just the Snort VRT rule set results in a failure to start the interface.

I did have Snort setup in the first paragraph, without the problem rule set, running along side pfBlocker without any problems.

I'll try a factory reset in the near future and see if that makes any difference...

Reply to [Snort] Possible flaw in ET rules and IPS Policy Security on Sat, 27 May 2023 20:06:20 GMT

bmeeks — Sat, 27 May 2023 20:06:20 GMT

If you are running on an SG-1100, then my first suspicion is you are simply running out of RAM. Snort can eat a lot of memory, and the more rules you enable the more memory is required. As I mentioned, the "Security" IPS policy enables the most rules out of the policy selections. So, not really surprised that is causing you problems. Adding in those ET rules probably is the last straw that is breaking the camel's back in terms of memory usage.

You need to use a lean and mean rule set on an SG-1100 due to the very limite amount of RAM.

Reply to [Snort] Possible flaw in ET rules and IPS Policy Security on Sat, 27 May 2023 19:43:19 GMT

ASGR71 — Sat, 27 May 2023 19:43:19 GMT

@bmeeks Thanks for your reply.

It's running on an 1100.

This is the output from the logs...

May 27 16:02:49 php 21847 /tmp/snort_mvneta0.4090_startcmd.php: The command '/usr/local/bin/snort -R _9897 -D --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_mvneta0.40909897 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 9897 -c /usr/local/etc/snort/snort_9897_mvneta0.4090/snort.conf -i mvneta0.4090' returned exit code '9', the output was ''
May 27 16:02:49 kernel pid 38637 (snort), jid 0, uid 0, was killed: failed to reclaim memory
...
May 27 16:00:28 snort 38637 +++++++++++++++++++++++++++++++++++++++++++++++++++
May 27 16:00:28 snort 38637 30643 Option Chains linked into 1413 Chain Headers
May 27 16:00:28 snort 38637 291 preprocessor rules
May 27 16:00:28 snort 38637 153 decoder rules
May 27 16:00:28 snort 38637 30199 detection rules
May 27 16:00:28 snort 38637 30643 Snort rules read
May 27 16:00:12 snort 38637 WARNING: /usr/local/etc/snort/snort_9897_mvneta0.4090/rules/snort.rules(507) threshold (in rule) is deprecated; use detection_filter instead.
May 27 16:00:12 snort 38637 Initializing rule chains...
May 27 16:00:12 snort 38637 +++++++++++++++++++++++++++++++++++++++++++++++++++

Reply to [Snort] Possible flaw in ET rules and IPS Policy Security on Sat, 27 May 2023 13:24:27 GMT

bmeeks — Sat, 27 May 2023 13:24:27 GMT

@ASGR71 said in [Snort] Possible flaw in ET rules and IPS Policy Security:

I've noticed that Snort stops working when the following rule

Which rule? You did not specify the signature ID (SID). All I see is a category name, but that category file contains many rules.

What errors are you seeing in the pfSense system log when Snort quits working?

What kind of hardware are you running Snort on? Using the 'Security' IPS policy loads the most rules. You might simply be running out of free RAM.