Snort - Please help
-
I've found that lowmem doesn't work at all, switching to ac-sparsebands did the trick for me
AND I've just tried the fix above and SNORT is now working as I would expect it to :)
Thank you VERY much sullrich, much appreciated.
Out of interest, what was the change?
-
A number of changes have happened:
-
Snort2c now issues pfctl -k
-
The filter rules now block items in the snort2c table in both directions
-
-
I've found that lowmem doesn't work at all, switching to ac-sparsebands did the trick for me
AND I've just tried the fix above and SNORT is now working as I would expect it to :)
…So keeping up with this post, should all of us that are having issues do the following:
*Reinstall the package if we have not done so in the past day or two?
*Change to ac-sparsebands from whatever other scheme was selected?
*Run Use the Diagnostics Edit program to edit /tmp/rules.debug ….?
*Run the scripts/commands that Sullrich just posted right before this post?
*Cross fingers?Thanks... I just want to clarify steps to correct/enhance this very useful package
-
So keeping up with this post, should all of us that are having issues do the following:
*Reinstall the package if we have not done so in the past day or two?
*Change to ac-sparsebands from whatever other scheme was selected?
*Run Use the Diagnostics Edit program to edit /tmp/rules.debug ….?
*Run the scripts/commands that Sullrich just posted right before this post?
*Cross fingers?Thanks... I just want to clarify steps to correct/enhance this very useful package
That sounds about right. I should note that the filter changes will be included with 1.0.1 which is scheduled for release sometime this weekend.
-
As a matter of interest, what are the memory requirements for snort in it's various mode (ac, sparsebands, lowmem etc).
I'm running with 256mb and it seems like it's not enough (nowhere near enough?)
I'll upgrade the ram if needs be, but I'd like to make sure I get enough :)
-
Depends on which rules you use. In general it's "just snort" so you should check out requirements at the snort homepage/mailinglists.
-
512 megs of ram or above. The release notes for pfSense mention a GIG.
Snort is really a hog.
-
Thanks, I'll upgrade then :)
-
Hi all,
sorry for my 'noobiness' with all these snort business.
But I'm having problem with snort+pfsense combination.some detail:
pfsense-1.0-RC3
download and install snort package from pfsense :
snort
BETA
2.6.0.2.4
platform: 1.0Got the oinkcode from snort.org and then it started downloading
some of the rules.Have NOT messed with the setting after that ( not ticking
any rules etc )
though It generates alerts, ever since it's activated with the oink code
Next day, I found it blocked some IPs ( my IP too )Tried to put my IP in the whitelist. But I couldn't go through.
Had to de-install snort and revert to the original config.
What would be the 'minimal' setup setting for snort in pfsense ?
Originally, I intend to put DNS rule in snortps : you can't sort of disable snort once it's installed and activated
with oink code, can you ?Thanks for the help.
-networknoob -
-
Hoba : Thx for the quick reply. will try that one and we'll see how it goes