Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN causing Snort to exit

    Scheduled Pinned Locked Moved pfSense Packages
    8 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      richierichim
      last edited by

      Hello.

      I'm experiencing a problem where snort is exiting when I start a Site-to-Site OpenVPN connection.  I'm using a peer to peer SSL/TLS setting.  I've disable the site to site and snort seems to stay up.

      I would also like to note, I'm running Remote Access (SSL/TLS User Auth) without snort exiting.  Perhaps, I haven't used the Remote Access as much to notice whether or not Snort is exiting.

      I read in another thread where someone stated that it was common knowledge that OpenVPN causes Snort to exit.  I can't seem to find anymore information on this.  I would like to see if others are experiencing Snort quitting and how people resolve this.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • R
        richierichim
        last edited by

        I disable the Remote Access since Snort shutdown again.  After running without any openvpn service, Snort is still up and running.

        I hope someone has some idea as to why openvpn and snort don't like each other.  It would be nice to have Snort running to protect this open port.

        1 Reply Last reply Reply Quote 0
        • R
          richierichim
          last edited by

          Well, I went through and modified my category selection.  I don't have any "shared object" categories since I read these categories work "well" with Pulled Pork and apparently, pfSense doesn't have Pulled Pork.  I also don't have the netBIOS category selected because I was getting errors.  I was very careful in selecting my categories.  I didn't select categories if I didn't have an open port.  I did end up with more categories select than before.

          So far, Snort has not gone down and I have OpenVPN tunnels up and running.  We shall see.

          1 Reply Last reply Reply Quote 0
          • R
            robi
            last edited by

            Can you please post which categories did you select? Because I have a similar setup, and I wasn't able to use snort at all, but I didn't even thought that it may have conflicts with OpenVPN…

            1 Reply Last reply Reply Quote 0
            • R
              richierichim
              last edited by

              @robi:

              Can you please post which categories did you select? Because I have a similar setup, and I wasn't able to use snort at all, but I didn't even thought that it may have conflicts with OpenVPN…

              I think I'm over doing the categories since I only have OpenVPN port open.  Here are the categories I'm currently using:
              emerging-attack_response.rules
              emerging-botcc.rules
              emerging-compromised.rules
              emerging-dos.rules
              emerging-drop.rules
              emerging-dshield.rules
              emerging-exploit.rules
              emerging-malware.rules
              emerging-netbios.rules
              emerging-rbn-malvertisers.rules
              emerging-rbn.rules
              emerging-scan.rules
              emerging-shellcode.rules
              emerging-tor.rules
              emerging-trojan.rules
              emerging-user_agents.rules
              emerging-virus.rules
              emerging-web_client.rules
              emerging-web_server.rules
              emerging-web_specific_apps.rules
              emerging-worm.rules
              snort_attack-responses.rules
              snort_backdoor.rules
              snort_bad-traffic.rules
              snort_blacklist.rules
              snort_botnet-cnc.rules
              snort_ddos.rules
              snort_dos.rules
              snort_exploit.so.rules  (strange that it works.  this is a Shared Object category.  I was unable to get snort_exploit.rules)
              snort_scan.rules
              snort_shellcode.rules
              snort_spyware-put.rules
              snort_web-activex.rules
              snort_web-attacks.rules
              snort_web-cgi.rules
              snort_web-client.rules
              snort_web-misc.rules
              snort_web-php.rules

              I hope this helps.

              1 Reply Last reply Reply Quote 0
              • R
                robi
                last edited by

                Thanks.

                What hardware are you running these on?

                1 Reply Last reply Reply Quote 0
                • R
                  richierichim
                  last edited by

                  @robi:

                  Thanks.

                  What hardware are you running these on?

                  old AMD 2200 with 768MB of RAM.  It uses alot of memory but seems fine.  I have memory settings as AC-STD with custom whitelist and suppression list.  The whitelist is important because there is a setting that adds VPN addresses dynamically to the list.

                  1 Reply Last reply Reply Quote 0
                  • R
                    richierichim
                    last edited by

                    @richie:

                    @robi:

                    Thanks.

                    What hardware are you running these on?

                    old AMD 2200 with 768MB of RAM.  It uses alot of memory but seems fine.  I have memory settings as AC-STD with custom whitelist and suppression list.  The whitelist is important because there is a setting that adds VPN addresses dynamically to the list.

                    I just switched to AC-BNFA.  It's the default setting I should have used to begin with because memory consumption was up with AC-STD.  Now it went way down and it starts up much faster.  I read somewhere until initiation is complete Snort is not protecting you and that the end results of the different memory settings yield the same protection.  I'm also considering removing the Shellcode rules because I getting some false positives from certain websites.  In the meantime, I'm placing the ip's in the whitelist that I created earlier.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.