1. Home
  2. pfSense Packages
  3. Snort Problems Again !!!

Snort Problems Again !!!

  • N

    Here we go with problems with snort .
    1.Blocking not working after reboot .
    2.Edit rules not working after reboot
    3.have to enable and disable and renable blocking then restart snort after that you are lucking snort is working
    this in the 2.0-RELEASE (i386) built on Tue Sep 13 17:00:00 EDT 2011 .
    4. Had the same problem in the 64 bit release version .

    0
  • E

    Yes, yes but any troubleshooting info like logs etc….!?

    0
  • M

    @NightHawk007 How many of the rules do you have enabled and how much RAM is in the system; also which PreProcessors do you have enabled?  I know from my experiences the more I enable the more problems I have, mainly I believe limited RAM on my systems.  Go minimal to make sure it's stable; maybe just preprocessors and then add some basic rules that contain several hundred, not thousand; you can find the total at the bottom of each rule set.
    That's my 2 cents.  Hope that helps.

    0
  • N

    The system has a dualcore 6000+ 3ghz amd cpu and 2gigs of ddr2800mhz ram and ram is at 15% usage.
    And 21 categories enabled
    Sep 21 22:03:29 snort[7451]: | Num States : 1449930
    Sep 21 22:03:29 snort[7451]: | Num States : 1449930
    Sep 21 22:03:29 snort[7451]: | Num Match States : 176760
    Sep 21 22:03:29 snort[7451]: | Num Match States : 176760
    Sep 21 22:03:29 snort[7451]: | Memory : 32.69Mbytes
    Sep 21 22:03:29 snort[7451]: | Memory : 32.69Mbytes
    Sep 21 22:03:29 snort[7451]: | Patterns : 5.74M
    Sep 21 22:03:29 snort[7451]: | Patterns : 5.74M
    Sep 21 22:03:29 snort[7451]: | Match Lists : 8.76M
    Sep 21 22:03:29 snort[7451]: | Match Lists : 8.76M
    Sep 21 22:03:29 snort[7451]: | Transitions : 17.85M
    Sep 21 22:03:29 snort[7451]: | Transitions : 17.85M
    Sep 21 22:03:29 snort[7451]: +–-----------------------------------------------
    Sep 21 22:03:29 snort[7451]: +–-----------------------------------------------
    Sep 21 22:03:29 snort[7451]: [ Number of null byte prefixed patterns trimmed: 8730 ]
    Sep 21 22:03:29 snort[7451]: [ Number of null byte prefixed patterns trimmed: 8730 ]
    Sep 21 22:03:29 snort[7451]: pcap DAQ configured to passive.
    Sep 21 22:03:29 snort[7451]: pcap DAQ configured to passive.
    Sep 21 22:03:29 snort[7451]: Acquiring network traffic from "fxp0".
    Sep 21 22:03:29 snort[7451]: Acquiring network traffic from "fxp0".
    Sep 21 22:03:29 snort[7451]: Initializing daemon mode
    Sep 21 22:03:29 snort[7451]: Initializing daemon mode
    Sep 21 22:03:29 snort[25842]: Daemon initialized, signaled parent pid: 7451
    Sep 21 22:03:29 snort[25842]: Daemon initialized, signaled parent pid: 7451
    Sep 21 22:03:29 snort[25842]: Reload thread starting…
    Sep 21 22:03:29 snort[25842]: Reload thread starting…
    Sep 21 22:03:29 snort[25842]: Reload thread started, thread 0x3bcba240 (25842)
    Sep 21 22:03:29 snort[25842]: Reload thread started, thread 0x3bcba240 (25842)
    Sep 21 22:03:29 SnortStartup[25917]: Interface Rule START for 0_36952_fxp0…
    Sep 21 22:03:29 snort[25842]: Decoding Ethernet
    Sep 21 22:03:29 snort[25842]: Decoding Ethernet
    Sep 21 22:03:29 kernel: fxp0: promiscuous mode enabled
    Sep 21 22:03:29 snort[25842]: Checking PID path…
    Sep 21 22:03:29 snort[25842]: Checking PID path…
    Sep 21 22:03:29 snort[25842]: PID path stat checked out ok, PID path set to /var/log/snort/run
    Sep 21 22:03:29 snort[25842]: PID path stat checked out ok, PID path set to /var/log/snort/run
    Sep 21 22:03:29 snort[25842]: Writing PID "25842" to file "/var/log/snort/run/snort_fxp036952.pid"
    Sep 21 22:03:29 snort[25842]: Writing PID "25842" to file "/var/log/snort/run/snort_fxp036952.pid"
    Sep 21 22:03:29 snort[25842]: Set gid to 920
    Sep 21 22:03:29 snort[25842]: Set gid to 920
    Sep 21 22:03:29 snort[25842]: Set uid to 920
    Sep 21 22:03:29 snort[25842]: Set uid to 920
    Sep 21 22:03:29 snort[25842]:
    Sep 21 22:03:29 snort[25842]:
    Sep 21 22:03:29 snort[25842]: –== Initialization Complete ==--
    Sep 21 22:03:29 snort[25842]: –== Initialization Complete ==--
    Sep 21 22:03:29 snort[25842]: Commencing packet processing (pid=25842)
    Sep 21 22:03:29 snort[25842]: Commencing packet processing (pid=25842)
    Sep 21 23:21:17 php: /index.php: Successful webConfigurator login for user 'admin' from 192.168.1.102
    Sep 21 23:21:17 php: /index.php: Successful webConfigurator login for user 'admin' from 192.168.1.102

    0
  • T

    Snort is working great here.
    2.0 Release 64bit
    All pre-processors on
    Lots of rules enabled.

    Works after reboot.
    2gb on a vnware vm.

    I did have to follow other posts by uninstalling/reinstalling to get it running the first time when we were in the RC stage.  Also if I had known so rules were only 64 bit, I would have installed 32 bit pfsense.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy