Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort package problems

    pfSense Packages
    7
    17
    6.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      feadin
      last edited by

      Ok I installed the latest snort package with the new binaries upgraded today and now Snort works, but I've found two problems so far:
      1- All the logs are duplicated. From the snort startup logs up to every alert, all duplicated both in the Alert tab and the System Logs too. This only happens with snort logs, all other logs are fine.
      2- The "stop" button won't stop the snort process. I was starting to freak out when my suppression lists weren't working, I checked out everything like 20 times and finally went to the console and there were like 10 snort processes running at the same time. So the "start" button works, but not the "stop" button in the Snort Interfaces tab.

      Finally, thank you for the hard work on making this work, I really appreciate it.

      1 Reply Last reply Reply Quote 0
      • F
        feadin
        last edited by

        Well I found another problem. After a few minutes the Snort process dies. This is the log entries:

        Jun 19 20:06:19	snort[56265]: [1:2402000:2641] ET DROP Dshield Block Listed Source [Classification: Misc Attack] [Priority: 2] {TCP} 222.189.239.90:6000 -> 200.68.124.165:1433
        Jun 19 20:06:19	kernel: pid 56265 (snort), uid 0: exited on signal 11
        
        

        I have 4gb of RAM on that firewall, I'm using the AC-BNFA memory setting and binding it to only one interface.

        1 Reply Last reply Reply Quote 0
        • F
          feadin
          last edited by

          UPDATE: Problem #2 is also affecting the rules updates. After a ruleset update snort will restart, but the old process won't die and snort processes will keep accumulating.

          1 Reply Last reply Reply Quote 0
          • C
            chowtamah
            last edited by

            Snort 2.9.2.3 pkg v. 2.2.1

            In snort's Blocked IP list page, I am not getting any alert description.

            
            Remove	#	IP	Alert Description
             	 1	 74.125.236.87	 N\A
             	 2	 74.125.236.88	 N\A
             	 3	 74.125.236.95	 N\A
             	 4	 202.86.6.175	 N\A
            
            

            In alerts entry tab, Nothing is listed and I can't change 'Instance to Inspect'. List auto selects to 'wan'.

            Any help?

            2.0.2-RELEASE (amd64)  &  2.2.2-RELEASE (amd64)

            Always trying to learn!!

            1 Reply Last reply Reply Quote 0
            • F
              feadin
              last edited by

              Yes I noticed that too (the missing description on the blocked page). Didn't report it because it's more like a missing feature than a bug. But it would be very nice to have it working anyway.

              @chowtamah:

              Snort 2.9.2.3 pkg v. 2.2.1

              In snort's Blocked IP list page, I am not getting any alert description.

              
              Remove	#	IP	Alert Description
               	 1	 74.125.236.87	 N\A
               	 2	 74.125.236.88	 N\A
               	 3	 74.125.236.95	 N\A
               	 4	 202.86.6.175	 N\A
              
              

              In alerts entry tab, Nothing is listed and I can't change 'Instance to Inspect'. List auto selects to 'wan'.

              Any help?

              1 Reply Last reply Reply Quote 0
              • S
                sronsen
                last edited by

                Newly noticed problem:  Blocked sites are not being removed as per setting "Remove blocked hosts every".

                I have this set for 3 hours, but I have sites which have been blocked for more than 72 hours without being removed.

                Only one instance of Snort is running and all other functions of Snort seem to be running properly, except the manual shutdown bug which has been reported frequently by others.

                1 Reply Last reply Reply Quote 0
                • C
                  Cino
                  last edited by

                  @sronsen:

                  Newly noticed problem:  Blocked sites are not being removed as per setting "Remove blocked hosts every".

                  I have this set for 3 hours, but I have sites which have been blocked for more than 72 hours without being removed.

                  Only one instance of Snort is running and all other functions of Snort seem to be running properly, except the manual shutdown bug which has been reported frequently by others.

                  goto your Global page. Change the time, to an hour; save. Then change it back to 3 hours; save. This should create the cron job that is needed. If you have the cron package install, you should see a job with '/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c' in it. 3600 will probably be different, maybe something like 108000

                  1 Reply Last reply Reply Quote 0
                  • S
                    sronsen
                    last edited by

                    @Cino:

                    @sronsen:

                    Newly noticed problem:  Blocked sites are not being removed as per setting "Remove blocked hosts every".

                    I have this set for 3 hours, but I have sites which have been blocked for more than 72 hours without being removed.

                    Only one instance of Snort is running and all other functions of Snort seem to be running properly, except the manual shutdown bug which has been reported frequently by others.

                    goto your Global page. Change the time, to an hour; save. Then change it back to 3 hours; save. This should create the cron job that is needed. If you have the cron package install, you should see a job with '/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c' in it. 3600 will probably be different, maybe something like 108000

                    Thanks.  Made and saved the change and the cron job is there as you describe.

                    1 Reply Last reply Reply Quote 0
                    • S
                      SectorNine50
                      last edited by

                      Anyone else getting massive SWAP file usage after the recent Snort package update?

                      EDIT:
                      Just restarted Snort after a rule update and it seems to have toned down.  I guess I'll keep an eye on that.

                      1 Reply Last reply Reply Quote 0
                      • S
                        SectorNine50
                        last edited by

                        Now that some time has passed, I checked it again.

                        Before the recent update of Snort, it used most of my 2GB of RAM in the unit, but no SWAP.  Now it's using most of the 2GB of RAM and 45% of the SWAP.

                        What changed?

                        1 Reply Last reply Reply Quote 0
                        • T
                          th3r3isnospoon
                          last edited by

                          @SectorNine50:

                          Now that some time has passed, I checked it again.

                          Before the recent update of Snort, it used most of my 2GB of RAM in the unit, but no SWAP.  Now it's using most of the 2GB of RAM and 45% of the SWAP.

                          What changed?

                          I am having the same issue with overall memory and cpu usage.  I am using 2.0.1-RELEASE (amd64) with Snort 2.9.2.3 pkg v. 2.2.1.

                          My memory usage usually hovers around 10%, I just had to reboot as it was using 54% of my memory after 5 days.  I noticed a slow down, even with 8 GB's of RAM.

                          Is there a memory leak somewhere?

                          -th3r3isnospoon

                          1 Reply Last reply Reply Quote 0
                          • F
                            feadin
                            last edited by

                            That's probably because snort processes keep accumulating as the command to stop snort service is broken on the latest stable package. You may want to disable automatic updates and setting a large log file size until this is fixed to avoid automatic restarts.

                            1 Reply Last reply Reply Quote 0
                            • S
                              SectorNine50
                              last edited by

                              @Feadin:

                              That's probably because snort processes keep accumulating as the command to stop snort service is broken on the latest stable package. You may want to disable automatic updates and setting a large log file size until this is fixed to avoid automatic restarts.

                              That makes some sense, thank you!

                              Just for those that don't want to reboot their pfsense box in order to reclaim the memory space:
                              -SSH to your firewall
                              -Open up the shell
                              -Type 'top'
                              -Find the PID of the Snort processes you want to kill
                              -Press 'k' and type the PID
                              -Repeat the previous step for each PID.

                              For me it took quite some time for snort to fully unload.  However, I was able to watch the memory usage steadily decline until it finally closed out.

                              1 Reply Last reply Reply Quote 0
                              • C
                                Cino
                                last edited by

                                @SectorNine50:

                                @Feadin:

                                That's probably because snort processes keep accumulating as the command to stop snort service is broken on the latest stable package. You may want to disable automatic updates and setting a large log file size until this is fixed to avoid automatic restarts.

                                That makes some sense, thank you!

                                Just for those that don't want to reboot their pfsense box in order to reclaim the memory space:
                                -SSH to your firewall
                                -Open up the shell
                                -Type 'top'
                                -Find the PID of the Snort processes you want to kill
                                -Press 'k' and type the PID
                                -Repeat the previous step for each PID.

                                For me it took quite some time for snort to fully unload.  However, I was able to watch the memory usage steadily decline until it finally closed out.

                                this works for me 'ps -aux | grep snort' this will show all the your processes with snort in it, including barnyard2. Then its kill PID #..

                                A really quick way, 'killall snort'  :-)

                                1 Reply Last reply Reply Quote 0
                                • F
                                  feadin
                                  last edited by

                                  I'm using

                                  pgrep snort
                                  

                                  to check how many snort processes are open, and

                                  pkill snort
                                  

                                  to kill them in case there's more than one. All from the "Diagnostics: Execute command" page and it works too.

                                  @Cino:

                                  @SectorNine50:

                                  @Feadin:

                                  That's probably because snort processes keep accumulating as the command to stop snort service is broken on the latest stable package. You may want to disable automatic updates and setting a large log file size until this is fixed to avoid automatic restarts.

                                  That makes some sense, thank you!

                                  Just for those that don't want to reboot their pfsense box in order to reclaim the memory space:
                                  -SSH to your firewall
                                  -Open up the shell
                                  -Type 'top'
                                  -Find the PID of the Snort processes you want to kill
                                  -Press 'k' and type the PID
                                  -Repeat the previous step for each PID.

                                  For me it took quite some time for snort to fully unload.  However, I was able to watch the memory usage steadily decline until it finally closed out.

                                  this works for me 'ps -aux | grep snort' this will show all the your processes with snort in it, including barnyard2. Then its kill PID #..

                                  A really quick way, 'killall snort'  :-)

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    SectorNine50
                                    last edited by

                                    Oh, cool!  I wasn't aware pkill would work with the process name instead, that's much easier! :)

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      miles267
                                      last edited by

                                      Thanks for the explanation.  I too have encountered this issue.  The GREP and PKILL commands seem to work in the short term.  Is there a more automated method to accomplish this task?

                                      Makes me wish I had never updated snort in the first place.  Snort has become a mess over the past 30 days.  Is there any resolution to this multiple snort instance issue in sight?

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.