Snort restart/ruleset problems



  • First, the usual disclaimer– Thank-you for pfsense!

    I'm having an issue where snort will start up fine on boot-up with a pre-defined set of rulesets (25 rulesets checked, none modified). But when I add/remove a ruleset and 'save' (thus restarting snort) the snort process itself eats around 95% CPU for a few minutes, then usually quits. I then can't get snort running (although I have not attempted a cli start.)

    If I reboot the firewall it starts up okay with the proper changes to the rulesets, but of course I'm looking for a way for it to take ruleset changes without having to reboot the firewall. Any suggestions?

    Details-
    pfsense 1.01
    snort 2.6.0.2 (build 85)
    Dual PIII-650
    1 GB pc133 RAM
    17G and 9G SCSI hd's with adaptec controller.

    Any ideas are appreciated.



  • I think I found a major clue… the snort process itself keeps hogging memory as the cpu is pegged, until there is only about 400M (or so) free left on the system. Then this message is kicked to the prompt (I got this by executing snort from the commandline in an ssh session)-

    ACSM-No Memory: acsmAddPattern!

    The only previous logging before that (which is where it might be hanging) is

    Decoding Ethernet on interface fxp0

    I have to stipulate (didn't before) that this is running on a bridged configuration, not routed. I'm wondering if that's why there's the problem...



  • What performance setting do you have snort set to?



  • @ai-danno:

    I have to stipulate (didn't before) that this is running on a bridged configuration, not routed. I'm wondering if that's why there's the problem…

    I think you are the first person who tries to run snort on a bridge. I don't know if this is possible at all or if it needs some special configuration behind the scenes (which we don't do as we never thought about running it on a bridge). Can you set it up as routing/nat temporarily just to see if it is a general issue at your box or if it really is related to the bridging? This would help to see where we have to start digging.



  • Snort + Bridge should be just fine…


Log in to reply