Snort Problems Again !!!

NightHawk007

Here we go with problems with snort .
1.Blocking not working after reboot .
2.Edit rules not working after reboot
3.have to enable and disable and renable blocking then restart snort after that you are lucking snort is working
this in the 2.0-RELEASE (i386) built on Tue Sep 13 17:00:00 EDT 2011 .
4. Had the same problem in the 64 bit release version .

eri--

Yes, yes but any troubleshooting info like logs etc….!?

mentalhemroids

@NightHawk007 How many of the rules do you have enabled and how much RAM is in the system; also which PreProcessors do you have enabled?  I know from my experiences the more I enable the more problems I have, mainly I believe limited RAM on my systems.  Go minimal to make sure it's stable; maybe just preprocessors and then add some basic rules that contain several hundred, not thousand; you can find the total at the bottom of each rule set.
That's my 2 cents.  Hope that helps.

NightHawk007

The system has a dualcore 6000+ 3ghz amd cpu and 2gigs of ddr2800mhz ram and ram is at 15% usage.
And 21 categories enabled
Sep 21 22:03:29 snort[7451]: | Num States : 1449930
Sep 21 22:03:29 snort[7451]: | Num States : 1449930
Sep 21 22:03:29 snort[7451]: | Num Match States : 176760
Sep 21 22:03:29 snort[7451]: | Num Match States : 176760
Sep 21 22:03:29 snort[7451]: | Memory : 32.69Mbytes
Sep 21 22:03:29 snort[7451]: | Memory : 32.69Mbytes
Sep 21 22:03:29 snort[7451]: | Patterns : 5.74M
Sep 21 22:03:29 snort[7451]: | Patterns : 5.74M
Sep 21 22:03:29 snort[7451]: | Match Lists : 8.76M
Sep 21 22:03:29 snort[7451]: | Match Lists : 8.76M
Sep 21 22:03:29 snort[7451]: | Transitions : 17.85M
Sep 21 22:03:29 snort[7451]: | Transitions : 17.85M
Sep 21 22:03:29 snort[7451]: +–-----------------------------------------------
Sep 21 22:03:29 snort[7451]: +–-----------------------------------------------
Sep 21 22:03:29 snort[7451]: [ Number of null byte prefixed patterns trimmed: 8730 ]
Sep 21 22:03:29 snort[7451]: [ Number of null byte prefixed patterns trimmed: 8730 ]
Sep 21 22:03:29 snort[7451]: pcap DAQ configured to passive.
Sep 21 22:03:29 snort[7451]: pcap DAQ configured to passive.
Sep 21 22:03:29 snort[7451]: Acquiring network traffic from "fxp0".
Sep 21 22:03:29 snort[7451]: Acquiring network traffic from "fxp0".
Sep 21 22:03:29 snort[7451]: Initializing daemon mode
Sep 21 22:03:29 snort[7451]: Initializing daemon mode
Sep 21 22:03:29 snort[25842]: Daemon initialized, signaled parent pid: 7451
Sep 21 22:03:29 snort[25842]: Daemon initialized, signaled parent pid: 7451
Sep 21 22:03:29 snort[25842]: Reload thread starting…
Sep 21 22:03:29 snort[25842]: Reload thread starting…
Sep 21 22:03:29 snort[25842]: Reload thread started, thread 0x3bcba240 (25842)
Sep 21 22:03:29 snort[25842]: Reload thread started, thread 0x3bcba240 (25842)
Sep 21 22:03:29 SnortStartup[25917]: Interface Rule START for 0_36952_fxp0…
Sep 21 22:03:29 snort[25842]: Decoding Ethernet
Sep 21 22:03:29 snort[25842]: Decoding Ethernet
Sep 21 22:03:29 kernel: fxp0: promiscuous mode enabled
Sep 21 22:03:29 snort[25842]: Checking PID path…
Sep 21 22:03:29 snort[25842]: Checking PID path…
Sep 21 22:03:29 snort[25842]: PID path stat checked out ok, PID path set to /var/log/snort/run
Sep 21 22:03:29 snort[25842]: PID path stat checked out ok, PID path set to /var/log/snort/run
Sep 21 22:03:29 snort[25842]: Writing PID "25842" to file "/var/log/snort/run/snort_fxp036952.pid"
Sep 21 22:03:29 snort[25842]: Writing PID "25842" to file "/var/log/snort/run/snort_fxp036952.pid"
Sep 21 22:03:29 snort[25842]: Set gid to 920
Sep 21 22:03:29 snort[25842]: Set gid to 920
Sep 21 22:03:29 snort[25842]: Set uid to 920
Sep 21 22:03:29 snort[25842]: Set uid to 920
Sep 21 22:03:29 snort[25842]:
Sep 21 22:03:29 snort[25842]:
Sep 21 22:03:29 snort[25842]: –== Initialization Complete ==--
Sep 21 22:03:29 snort[25842]: –== Initialization Complete ==--
Sep 21 22:03:29 snort[25842]: Commencing packet processing (pid=25842)
Sep 21 22:03:29 snort[25842]: Commencing packet processing (pid=25842)
Sep 21 23:21:17 php: /index.php: Successful webConfigurator login for user 'admin' from 192.168.1.102
Sep 21 23:21:17 php: /index.php: Successful webConfigurator login for user 'admin' from 192.168.1.102

tester_02

Snort is working great here.
2.0 Release 64bit
All pre-processors on
Lots of rules enabled.

Works after reboot.
2gb on a vnware vm.

I did have to follow other posts by uninstalling/reinstalling to get it running the first time when we were in the RC stage.  Also if I had known so rules were only 64 bit, I would have installed 32 bit pfsense.