Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT stopped generating alerts

    Scheduled Pinned Locked Moved
    IDS/IPS
    snort pfsense 2.7.2
    2
    2
    237
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Enso_
      last edited by

      Hello,

      I'm currently running Snort on two pfSense VMs (version 2.7.2) with Snort version 4.1.6_17. Both instances stopped generating reports back in November—on different days but within the same month.

      At present, Snort is configured on the LAN interface. I'm aware that on the LAN there are much less noisy alerts than WAN, but I still think something is wrong since it did generate lots of alerts up until it stopped. Yes, mostly alerts that can be ignored such as (http_inspect), however, because I did disable or suppress those alerts, I do believe there is something wrong with Snort.

      Where should I begin troubleshooting to identify the root cause of this issue?
      I have already re-installed the Snort package, with no success.

      Additionally, I have a question regarding the 'Suppress' menu. I noticed a list titled "lansuppress_xxxxxxx" with the description "Auto-generated list for Alert suppression." Does Snort generate these suppression lists automatically? If so, what criteria are these lists based on?

      To rule out this suppression list as the cause of the missing alerts, I removed it entirely, but the issue persists.

      Thank you.

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @Enso_
        last edited by bmeeks

        @Enso_ said in SNORT stopped generating alerts:

        Additionally, I have a question regarding the 'Suppress' menu. I noticed a list titled "lansuppress_xxxxxxx" with the description "Auto-generated list for Alert suppression." Does Snort generate these suppression lists automatically? If so, what criteria are these lists based on?

        This is an auto-generated file that gets created whenever someone presses the Suppress icon on the ALERTS tab and there is no assigned Suppress List. If there is no currently assigned Suppress List for the interface, then when the user clicks the icon to suppress an alert shown on the ALERTS tab, a file is automatically created and given a name using the pattern you posted.

        As for why Snort is not generating alerts, you should check that the instance is actually running by using this command from a shell prompt obtained either directly on the firewall console or via SSH (do NOT use the commands in the GUI):

        ps -ax | grep snort

        You should see one Snort instance listed for each configured and running Snort interface. If you see running instances, then you can use a tool such as nmap to purposefully send penetration test traffic into a Snort protected interface to see if any rules trigger.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.