Snort package problems



  • Ok I installed the latest snort package with the new binaries upgraded today and now Snort works, but I've found two problems so far:
    1- All the logs are duplicated. From the snort startup logs up to every alert, all duplicated both in the Alert tab and the System Logs too. This only happens with snort logs, all other logs are fine.
    2- The "stop" button won't stop the snort process. I was starting to freak out when my suppression lists weren't working, I checked out everything like 20 times and finally went to the console and there were like 10 snort processes running at the same time. So the "start" button works, but not the "stop" button in the Snort Interfaces tab.

    Finally, thank you for the hard work on making this work, I really appreciate it.



  • Well I found another problem. After a few minutes the Snort process dies. This is the log entries:

    Jun 19 20:06:19	snort[56265]: [1:2402000:2641] ET DROP Dshield Block Listed Source [Classification: Misc Attack] [Priority: 2] {TCP} 222.189.239.90:6000 -> 200.68.124.165:1433
    Jun 19 20:06:19	kernel: pid 56265 (snort), uid 0: exited on signal 11
    
    

    I have 4gb of RAM on that firewall, I'm using the AC-BNFA memory setting and binding it to only one interface.



  • UPDATE: Problem #2 is also affecting the rules updates. After a ruleset update snort will restart, but the old process won't die and snort processes will keep accumulating.



  • Snort 2.9.2.3 pkg v. 2.2.1

    In snort's Blocked IP list page, I am not getting any alert description.

    
    Remove	#	IP	Alert Description
     	 1	 74.125.236.87	 N\A
     	 2	 74.125.236.88	 N\A
     	 3	 74.125.236.95	 N\A
     	 4	 202.86.6.175	 N\A
    
    

    In alerts entry tab, Nothing is listed and I can't change 'Instance to Inspect'. List auto selects to 'wan'.

    Any help?



  • Yes I noticed that too (the missing description on the blocked page). Didn't report it because it's more like a missing feature than a bug. But it would be very nice to have it working anyway.

    @chowtamah:

    Snort 2.9.2.3 pkg v. 2.2.1

    In snort's Blocked IP list page, I am not getting any alert description.

    
    Remove	#	IP	Alert Description
     	 1	 74.125.236.87	 N\A
     	 2	 74.125.236.88	 N\A
     	 3	 74.125.236.95	 N\A
     	 4	 202.86.6.175	 N\A
    
    

    In alerts entry tab, Nothing is listed and I can't change 'Instance to Inspect'. List auto selects to 'wan'.

    Any help?



  • Newly noticed problem:  Blocked sites are not being removed as per setting "Remove blocked hosts every".

    I have this set for 3 hours, but I have sites which have been blocked for more than 72 hours without being removed.

    Only one instance of Snort is running and all other functions of Snort seem to be running properly, except the manual shutdown bug which has been reported frequently by others.



  • @sronsen:

    Newly noticed problem:  Blocked sites are not being removed as per setting "Remove blocked hosts every".

    I have this set for 3 hours, but I have sites which have been blocked for more than 72 hours without being removed.

    Only one instance of Snort is running and all other functions of Snort seem to be running properly, except the manual shutdown bug which has been reported frequently by others.

    goto your Global page. Change the time, to an hour; save. Then change it back to 3 hours; save. This should create the cron job that is needed. If you have the cron package install, you should see a job with '/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c' in it. 3600 will probably be different, maybe something like 108000



  • @Cino:

    @sronsen:

    Newly noticed problem:  Blocked sites are not being removed as per setting "Remove blocked hosts every".

    I have this set for 3 hours, but I have sites which have been blocked for more than 72 hours without being removed.

    Only one instance of Snort is running and all other functions of Snort seem to be running properly, except the manual shutdown bug which has been reported frequently by others.

    goto your Global page. Change the time, to an hour; save. Then change it back to 3 hours; save. This should create the cron job that is needed. If you have the cron package install, you should see a job with '/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c' in it. 3600 will probably be different, maybe something like 108000

    Thanks.  Made and saved the change and the cron job is there as you describe.



  • Anyone else getting massive SWAP file usage after the recent Snort package update?

    EDIT:
    Just restarted Snort after a rule update and it seems to have toned down.  I guess I'll keep an eye on that.



  • Now that some time has passed, I checked it again.

    Before the recent update of Snort, it used most of my 2GB of RAM in the unit, but no SWAP.  Now it's using most of the 2GB of RAM and 45% of the SWAP.

    What changed?



  • @SectorNine50:

    Now that some time has passed, I checked it again.

    Before the recent update of Snort, it used most of my 2GB of RAM in the unit, but no SWAP.  Now it's using most of the 2GB of RAM and 45% of the SWAP.

    What changed?

    I am having the same issue with overall memory and cpu usage.  I am using 2.0.1-RELEASE (amd64) with Snort 2.9.2.3 pkg v. 2.2.1.

    My memory usage usually hovers around 10%, I just had to reboot as it was using 54% of my memory after 5 days.  I noticed a slow down, even with 8 GB's of RAM.

    Is there a memory leak somewhere?

    -th3r3isnospoon



  • That's probably because snort processes keep accumulating as the command to stop snort service is broken on the latest stable package. You may want to disable automatic updates and setting a large log file size until this is fixed to avoid automatic restarts.



  • @Feadin:

    That's probably because snort processes keep accumulating as the command to stop snort service is broken on the latest stable package. You may want to disable automatic updates and setting a large log file size until this is fixed to avoid automatic restarts.

    That makes some sense, thank you!

    Just for those that don't want to reboot their pfsense box in order to reclaim the memory space:
    -SSH to your firewall
    -Open up the shell
    -Type 'top'
    -Find the PID of the Snort processes you want to kill
    -Press 'k' and type the PID
    -Repeat the previous step for each PID.

    For me it took quite some time for snort to fully unload.  However, I was able to watch the memory usage steadily decline until it finally closed out.



  • @SectorNine50:

    @Feadin:

    That's probably because snort processes keep accumulating as the command to stop snort service is broken on the latest stable package. You may want to disable automatic updates and setting a large log file size until this is fixed to avoid automatic restarts.

    That makes some sense, thank you!

    Just for those that don't want to reboot their pfsense box in order to reclaim the memory space:
    -SSH to your firewall
    -Open up the shell
    -Type 'top'
    -Find the PID of the Snort processes you want to kill
    -Press 'k' and type the PID
    -Repeat the previous step for each PID.

    For me it took quite some time for snort to fully unload.  However, I was able to watch the memory usage steadily decline until it finally closed out.

    this works for me 'ps -aux | grep snort' this will show all the your processes with snort in it, including barnyard2. Then its kill PID #..

    A really quick way, 'killall snort'  :-)



  • I'm using

    pgrep snort
    

    to check how many snort processes are open, and

    pkill snort
    

    to kill them in case there's more than one. All from the "Diagnostics: Execute command" page and it works too.

    @Cino:

    @SectorNine50:

    @Feadin:

    That's probably because snort processes keep accumulating as the command to stop snort service is broken on the latest stable package. You may want to disable automatic updates and setting a large log file size until this is fixed to avoid automatic restarts.

    That makes some sense, thank you!

    Just for those that don't want to reboot their pfsense box in order to reclaim the memory space:
    -SSH to your firewall
    -Open up the shell
    -Type 'top'
    -Find the PID of the Snort processes you want to kill
    -Press 'k' and type the PID
    -Repeat the previous step for each PID.

    For me it took quite some time for snort to fully unload.  However, I was able to watch the memory usage steadily decline until it finally closed out.

    this works for me 'ps -aux | grep snort' this will show all the your processes with snort in it, including barnyard2. Then its kill PID #..

    A really quick way, 'killall snort'  :-)



  • Oh, cool!  I wasn't aware pkill would work with the process name instead, that's much easier! :)



  • Thanks for the explanation.  I too have encountered this issue.  The GREP and PKILL commands seem to work in the short term.  Is there a more automated method to accomplish this task?

    Makes me wish I had never updated snort in the first place.  Snort has become a mess over the past 30 days.  Is there any resolution to this multiple snort instance issue in sight?


Log in to reply