OpenVPN causing Snort to exit



  • Hello.

    I'm experiencing a problem where snort is exiting when I start a Site-to-Site OpenVPN connection.  I'm using a peer to peer SSL/TLS setting.  I've disable the site to site and snort seems to stay up.

    I would also like to note, I'm running Remote Access (SSL/TLS User Auth) without snort exiting.  Perhaps, I haven't used the Remote Access as much to notice whether or not Snort is exiting.

    I read in another thread where someone stated that it was common knowledge that OpenVPN causes Snort to exit.  I can't seem to find anymore information on this.  I would like to see if others are experiencing Snort quitting and how people resolve this.

    Thanks.



  • I disable the Remote Access since Snort shutdown again.  After running without any openvpn service, Snort is still up and running.

    I hope someone has some idea as to why openvpn and snort don't like each other.  It would be nice to have Snort running to protect this open port.



  • Well, I went through and modified my category selection.  I don't have any "shared object" categories since I read these categories work "well" with Pulled Pork and apparently, pfSense doesn't have Pulled Pork.  I also don't have the netBIOS category selected because I was getting errors.  I was very careful in selecting my categories.  I didn't select categories if I didn't have an open port.  I did end up with more categories select than before.

    So far, Snort has not gone down and I have OpenVPN tunnels up and running.  We shall see.



  • Can you please post which categories did you select? Because I have a similar setup, and I wasn't able to use snort at all, but I didn't even thought that it may have conflicts with OpenVPN…



  • @robi:

    Can you please post which categories did you select? Because I have a similar setup, and I wasn't able to use snort at all, but I didn't even thought that it may have conflicts with OpenVPN…

    I think I'm over doing the categories since I only have OpenVPN port open.  Here are the categories I'm currently using:
    emerging-attack_response.rules
    emerging-botcc.rules
    emerging-compromised.rules
    emerging-dos.rules
    emerging-drop.rules
    emerging-dshield.rules
    emerging-exploit.rules
    emerging-malware.rules
    emerging-netbios.rules
    emerging-rbn-malvertisers.rules
    emerging-rbn.rules
    emerging-scan.rules
    emerging-shellcode.rules
    emerging-tor.rules
    emerging-trojan.rules
    emerging-user_agents.rules
    emerging-virus.rules
    emerging-web_client.rules
    emerging-web_server.rules
    emerging-web_specific_apps.rules
    emerging-worm.rules
    snort_attack-responses.rules
    snort_backdoor.rules
    snort_bad-traffic.rules
    snort_blacklist.rules
    snort_botnet-cnc.rules
    snort_ddos.rules
    snort_dos.rules
    snort_exploit.so.rules  (strange that it works.  this is a Shared Object category.  I was unable to get snort_exploit.rules)
    snort_scan.rules
    snort_shellcode.rules
    snort_spyware-put.rules
    snort_web-activex.rules
    snort_web-attacks.rules
    snort_web-cgi.rules
    snort_web-client.rules
    snort_web-misc.rules
    snort_web-php.rules

    I hope this helps.



  • Thanks.

    What hardware are you running these on?



  • @robi:

    Thanks.

    What hardware are you running these on?

    old AMD 2200 with 768MB of RAM.  It uses alot of memory but seems fine.  I have memory settings as AC-STD with custom whitelist and suppression list.  The whitelist is important because there is a setting that adds VPN addresses dynamically to the list.



  • @richie:

    @robi:

    Thanks.

    What hardware are you running these on?

    old AMD 2200 with 768MB of RAM.  It uses alot of memory but seems fine.  I have memory settings as AC-STD with custom whitelist and suppression list.  The whitelist is important because there is a setting that adds VPN addresses dynamically to the list.

    I just switched to AC-BNFA.  It's the default setting I should have used to begin with because memory consumption was up with AC-STD.  Now it went way down and it starts up much faster.  I read somewhere until initiation is complete Snort is not protecting you and that the end results of the different memory settings yield the same protection.  I'm also considering removing the Shellcode rules because I getting some false positives from certain websites.  In the meantime, I'm placing the ip's in the whitelist that I created earlier.


Log in to reply