Quick Snort Setup Instructions for New Users
-
@Hollander:
Also, why does my Block column say DISABLED when though Snort is enabled?
Did you tell Snort to block offenders? (Interface -> block offenders).
Now it says blocked, thank you.
You're most welcome ;D
-
I just wanted to thank you for this guide. I just set up a PFSense install on an old Dell PowerEdge2850 server. This helped me more than I can say. The old network admins left no documentation behind, so when I had to rebuild PFS from scratch, I was a little out of my depth. This certainly made setting up snort more than a little easier. Especially since I really didn't even know where to start. Thanks a million.
-
If anyone winds up without any blocked items over time in their Blocked tab despite loads of alerts, check your "Status: System logs: General" tab and look for any services reporting FILTER reloads or reconfigurations. Since filter reloads cause the block table to clear, misconfigured or broken services can cause the Blocked tab to appear consistently empty.
Rob…
-
Good day !
I have 2 WAN Interfaces and was trying to set up rules according to this forum. Making a setup for 1 interface took me around 1,5 hour. The question is - Is there any facility to simply copy the ruleset between interfaces ?
Thank you in advance. -
Good day !
I have 2 WAN Interfaces and was trying to set up rules according to this forum. Making a setup for 1 interface took me around 1,5 hour. The question is - Is there any facility to simply copy the ruleset between interfaces ?
Thank you in advance.Not currently, but another user requested something similar. I have that sort of feature on my TODO list. I was thinking along the lines of being able to create "templates" with rules, preprocessors, variables, and some other parameters all configurable. You could save and name the templates, then apply one to any interface on demand. Would that work for you?
Bill
-
I have the community rules box checked, but when I go to the tab to update, the button is greyed out. Am I doing something wrong? If I select the emerging threat box, I am able to click the update button, but with just community rules checked, I am not.
-
Thank you beemks ! Yes, I think it worked for me. Does it means what Snort consider Autogenerated Supress list as "top list" ?
-
Thank you beemks ! Yes, I think it worked for me. Does it means what Snort consider Autogenerated Supress list as "top list" ?
The auto-generated list will have the name of the interface followed by a random number (UUID).
Bill
-
I don't want to discount Bill's efforts on this thread. It is absolutely the best place to start.
That said, I've recently introduced pfSense and the Snort package to a few friends who are long time, big time, professional security hawks looking for a solution at home a bit more elegant than running generations old (but affordable) dedicated firewall hardware. I believe the best "find" I have come across and directed my friends to is the "fine tuning" post started by user "jflsakfja" as this thread:
https://forum.pfsense.org/index.php/topic,64674.0.html
This user requested the ability some time ago at the start of that thread to be able to edit his post in this sticky rather than having to continuously add to an existing thread. I, for one, would like this be reconsidered by the mods as the above thread is slowly being buried as time passes. I can only surmise the lack of updates as anticipated by "jflsakfja" could be because of a lack of response (evidenced by lack of edits here as of this date) to that request. Or perhaps because I've pushed him/her for more information…? If not at least maybe this post can serve as a jump point for folks looking for or could benefit from that information.
I'd like to see his/her updates continue as the schema introduced by this user may not be the absolute best way of setting up Snort and pfBlocker but its the best I've come across and certainly has made my system more efficient and less troublesome. Judging by recent posts in the Packages area, it seems many others could benefit from this schema as well.... if they knew about it.
Respectfully submitted,
Rick -
Is there any way to log the packets that trigger a snort alert? Mainly I want to see HTTP header and request associated with the alert.
-
Is there any way to log the packets that trigger a snort alert? Mainly I want to see HTTP header and request associated with the alert.
The new 2.9.6.0 version of Snort offers increased packet/file capture abilities according to the post on the Snort.org web site. I am working now on readying that version for the next Snort package update. I will investigate what is offered in the new binary and see what I can reasonably incorporate into the GUI.
I had a similar request from some folks in the new Suricata BETA package thread where the wish was a clickable link from the alert on the ALERTS tab to a view of the packets that triggered the alert. I am mulling over in my head the best way to accomplish that without bogging down the firewall CPU searching through hundreds of megabytes of packet capture files. In general its better to offload such tasks to an external system.
Bill
-
@jflsakfja:
The Missing Part to Quick Snort Setup Instructions for New Users
In tab "Rules", under "Category" select:
(–- means blank table at time of writing)Hello,
does this mean I have to enable ALL when it's written all? Jesus, that would take ages as you can only enable one at a time … Especially GPLv2 has like 85% disabled by default ... Holy, I have 3x WAN, I'd never find the time for that.
I don't really understand enabled/disabled here. For your example with "2000419" (which occurs right after I started snort with default settings) the rule is faded/greyed out - means it is disabled by default, right? So why does it generate an alert?
Edit: Whoa I couldn't use that whole package for 3x WAN, it uses 42% of 2027 MB for 1 WAN already o.O
-
@jflsakfja:
The Missing Part to Quick Snort Setup Instructions for New Users
In tab "Rules", under "Category" select:
(–- means blank table at time of writing)Hello,
does this mean I have to enable ALL when it's written all? Jesus, that would take ages as you can only enable one at a time … Especially GPLv2 has like 85% disabled by default ... Holy, I have 3x WAN, I'd never find the time for that.
I don't really understand enabled/disabled here. For your example with "2000419" (which occurs right after I started snort with default settings) the rule is faded/greyed out - means it is disabled by default, right? So why does it generate an alert?
Edit: Whoa I couldn't use that whole package for 3x WAN, it uses 42% of 2027 MB for 1 WAN already o.O
There is an "Enable All Rules in the Current Category" button on the RULES tab for a Snort interface. So select the GPLv2 Community Rules in the drop-down, then click the "Enable All Rules in the Current Category" button (it is a plus "+" icon).
The answer to your second question about a "disabled rule" apparently causing an alert is as follows. Many Snort rules either fire, or look for previously fired, internal triggers called flowbits. Google the terms "snort flowbits" to find some web sites with more detailed explanations. In order for some rules to fire an alert, they need to see flowbits set by some other rules. The Auto-Flowbits feature of Snort will walk through all of your enabled rules looking any flowbit dependencies. If it finds a needed flowbit is only set by a currently disabled rule, then it will auto-enable that rule (unless you have explicitly manually disabled it). So the short answer is the alert is coming from a rule that the auto-flowbits process toggled from "default disabled" to "default enabled" behind the scenes. If you really do not want an alert for that rule, simply add it's GID:SID to the Suppression List.
Bill
-
Hi Bill,
You said in a couple of your posts that to work around NAT and knowing the origin of an internal threat you'd also enable snort on the LAN interface.
You suggested leaving snort also looking at the WAN interface but with a lot less rules than the LAN and handling everything else on the LAN (I'm assuming you also mean setting both WAN and LAN snort configurations to look at both source and destination).
I can understand the logic of moving it to the LAN since otherwise in a NAT environment you can't see which client is generating threat alerts, but what is the reason behind leaving some of the rules on the WAN and not moving everything to the LAN?
Also another question: my pfSense setup consists of 3 LANs, if I were to setup snort with the vast majority/all the rules on the LAN, would I need to have one setup for each interface? Which in turn would mean 3x as much RAM usage, and manually setting each of the interfaces manually? Is there one way to apply the same config to all LANs through without the increase in memory?
EDIT
Forgot to say my pfSense is a VM running on ESXi 5.5 Update 1, so is this something I can change by configuring promiscuous mode on the VM network?
Thank you.
-
Hi Bill,
You said in a couple of your posts that to work around NAT and knowing the origin of an internal threat you'd also enable snort on the LAN interface.
You suggested leaving snort also looking at the WAN interface but with a lot less rules than the LAN and handling everything else on the LAN (I'm assuming you also mean setting both WAN and LAN snort configurations to look at both source and destination).
I can understand the logic of moving it to the LAN since otherwise in a NAT environment you can't see which client is generating threat alerts, but what is the reason behind leaving some of the rules on the WAN and not moving everything to the LAN?
Also another question: my pfSense setup consists of 3 LANs, if I were to setup snort with the vast majority/all the rules on the LAN, would I need to have one setup for each interface? Which in turn would mean 3x as much RAM usage, and manually setting each of the interfaces manually? Is there one way to apply the same config to all LANs through without the increase in memory?
EDIT
Forgot to say my pfSense is a VM running on ESXi 5.5 Update 1, so is this something I can change by configuring promiscuous mode on the VM network?
Thank you.
It is true there is no necessary technical advantage running Snort with split rules (some on WAN and most on LAN, for example). It is more of a preference thing. Depends primarily on the network design you have and what you want to protect in what ways.
As for a VMware environment with multiple LANs, I don't know of a way short of running Snort on each LAN interface. I have not, though, played with promiscuous mode in VMware. I don't know if that would be a solution or not.
Bill
-
Well I'm torn between the two setups in my case.
If I set it up on the WAN, I only need to set it up once and it will work for all interfaces. However I lose the ability to see which client generated the alert or, in my case, which LAN it came from which makes it even harder. Also I lose the ability to have different per LAN settings
If I set it up on the LAN I can solve all of the problems listed above, but I will have to configure it separately on each of the LANs and it will be a RAM hungry beast.
I was looking at the different performance methods and based on the description decided to try AC-SPLIT. For a VMware environment, would this be preferable to AC-BNFA when trying to optimise for performance while attempting to keep the memory down?
-
Well I'm torn between the two setups in my case.
If I set it up on the WAN, I only need to set it up once and it will work for all interfaces. However I lose the ability to see which client generated the alert or, in my case, which LAN it came from which makes it even harder. Also I lose the ability to have different per LAN settings
If I set it up on the LAN I can solve all of the problems listed above, but I will have to configure it separately on each of the LANs and it will be a RAM hungry beast.
I was looking at the different performance methods and based on the description decided to try AC-SPLIT. For a VMware environment, would this be preferable to AC-BNFA when trying to optimise for performance while attempting to keep the memory down?
Everything I've ever seen posted from the Snort VRT guys seems to point to AC-BNFA being the best choice 99% of the time. It you are trying to keep decent performance but optimize RAM usage, I would stick with AC-BNFA.
Depending on how many rules you choose, Snort can run in 2GB of RAM. Most folks find it works better with 4GB, though, with the more typical choice of enabled rules.
Bill
-
I read somewhere that AC-BNFA-NQ should provide better performance than AC-BNFA and it also appears to be the default in Snort now, as mentioned here: http://manual.snort.org/node16.html
Currently I have Snort running on a single interface as AC-BNFA-NQ with:
- Snort VRT free Registered User
- Snort Community Ruleset
- ETOpen
with 90% of all rules enabled, on a box with 2GB of RAM and the RAM usage never goes above 35% (it is also running pfBlocker, OpenVPN client + server, Squid + LightSquid, HAVP)…
Are you saying AC-BNFA would be better even?
-
I read somewhere that AC-BNFA-NQ should provide better performance than AC-BNFA and it also appears to be the default in Snort now, as mentioned here: http://manual.snort.org/node16.html
Currently I have Snort running on a single interface as AC-BNFA-NQ with:
- Snort VRT free Registered User
- Snort Community Ruleset
- ETOpen
with 90% of all rules enabled, on a box with 2GB of RAM and the RAM usage never goes above 35% (it is also running pfBlocker, OpenVPN client + server, Squid + LightSquid, HAVP)…
Are you saying AC-BNFA would be better even?
No, it is no better in terms of memory consumption. The NQ means "not queued" if I am recalling correctly, and has some relation to overall performance. The NQ settings are popular now.
Bill
-
Is there any way to log the packets that trigger a snort alert? Mainly I want to see HTTP header and request associated with the alert.
The new 2.9.6.0 version of Snort offers increased packet/file capture abilities according to the post on the Snort.org web site. I am working now on readying that version for the next Snort package update. I will investigate what is offered in the new binary and see what I can reasonably incorporate into the GUI.
I had a similar request from some folks in the new Suricata BETA package thread where the wish was a clickable link from the alert on the ALERTS tab to a view of the packets that triggered the alert. I am mulling over in my head the best way to accomplish that without bogging down the firewall CPU searching through hundreds of megabytes of packet capture files. In general its better to offload such tasks to an external system.
Bill
I really hope you'll be able to incorporate full packet capture offloaded to an external system. That would be ideal. I see your reservations and challenges about doing it all on the fw box. Although I believe any of us wanting to do full packet capture are already using barnyard2 sending to an external system. Thanks for all your hard work - I really appreciate it, as I'm sure others do as well :)
-
I am having an issue trying to install snort on my new box. The PBI seems to be missing. Here is what I am seeing…
Beginning package installation for snort .
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.0-amd64.pbi ... could not download from there or http://files.pfsense.org/packages/amd64/8/All//snort-2.9.6.0-amd64.pbi.
of snort-2.9.6.0-amd64 failed!I peeked in https://files.pfsense.org/packages/amd64/8/All/ and didn't see the package, just older installs. Was there a reason 2.9.6.0 was pulled?
-
I am having an issue trying to install snort on my new box.
And you are having issues with the search box on the forum as well?
-
I am having an issue trying to install snort on my new box.
And you are having issues with the search box on the forum as well?
Search was used many times and all I came across was that it is available on the servers via IPv6 and not IPv4. If you knew a quick fix, you could have posted it thus having a thread to show in search when others like myself run in to this. It's my understanding that is how the search feature works…
-
Sigh, how about you stop flooding this thread with completely off-topic junk.
-
Someone found a workaround for it in this thread at the end. https://forum.pfsense.org/index.php?topic=74486.15
-
Noob issue with creating Alias/Whitelist….
I am having an issue creating a Passlist (whitelist). I click on the "Pass List Tab" and lists "passlist_36480", then Edit (e) with a set of check boxes, and an Alias box at the bottom.
To add my own to the White/Passlist, I am guessing I add a file name to the Alias Box: But I get an error message when adding a file name, whether it as created in the "Ip List" or not: The following input errors were detected: A valid alias must be provided
I follow the Alias button, and there is no (+) Add button. I tried different syntax in the file name, adding a "IP List" but have not been able to create or add. I saw the pictures listed before in this thread about Editing a Alias, but not about creating one.
What simple idiot step am I missing? Thanks.
-
Noob issue with creating Alias/Whitelist….
I am having an issue creating a Passlist (whitelist). I click on the "Pass List Tab" and lists "passlist_36480", then Edit (e) with a set of check boxes, and an Alias box at the bottom.
To add my own to the White/Passlist, I am guessing I add a file name to the Alias Box: But I get an error message when adding a file name, whether it as created in the "Ip List" or not: The following input errors were detected: A valid alias must be provided
I follow the Alias button, and there is no (+) Add button. I tried different syntax in the file name, adding a "IP List" but have not been able to create or add. I saw the pictures listed before in this thread about Editing a Alias, but not about creating one.
What simple idiot step am I missing? Thanks.
Firewall/aliasses. Create one first.
It is good to see more noobs on this board; for over a year I've been feeling so lonely ;D
-
RE Selecting Rule Sets:
Under "WAN Categories", I have the IPS Ruleset:Connectivity and Flowbits boxes checked.
Do I just ignore the "Rulesets Snort will load at Startup" below this? So is this an ALTERNATIVE or ADDITION, or do I have to check the Rulesets to use UNDER the IPS Ruleset: Connectivity?
Thanks for the noob clarification.
-
@Hollander:
Firewall/aliasses. Create one first.
It is good to see more noobs on this board; for over a year I've been feeling so lonely ;D
I will probably make your week.
-
RE Selecting Rule Sets:
Under "WAN Categories", I have the IPS Ruleset:Connectivity and Flowbits boxes checked.
Do I just ignore the "Rulesets Snort will load at Startup" below this? So is this an ALTERNATIVE or ADDITION, or do I have to check the Rulesets to use UNDER the IPS Ruleset: Connectivity?
Thanks for the noob clarification.
When you select an IPS Policy, that will load a preset collection of Snort VRT rules. The VRT rule authors decide which particular rules are associated with a given IPS Policy. But this only applies to Snort VRT rules. Emerging Threats is a completely separate and unrelated set of rules. So when you use an IPS Policy, individual selections for Snort VRT rule categories are disabled, but you are free to select ET rules categories (if you have Emerging Threats rules enabled for download under GLOBAL SETTINGS) that will be added to your automatic Snort VRT collection coming from the chosen policy. So when using a policy, the checkboxes further down below are optional and will add more rules to those that are part of the policy.
Bill
-
Noob issue with creating Alias/Whitelist….
I am having an issue creating a Passlist (whitelist). I click on the "Pass List Tab" and lists "passlist_36480", then Edit (e) with a set of check boxes, and an Alias box at the bottom.
To add my own to the White/Passlist, I am guessing I add a file name to the Alias Box: But I get an error message when adding a file name, whether it as created in the "Ip List" or not: The following input errors were detected: A valid alias must be provided
I follow the Alias button, and there is no (+) Add button. I tried different syntax in the file name, adding a "IP List" but have not been able to create or add. I saw the pictures listed before in this thread about Editing a Alias, but not about creating one.
What simple idiot step am I missing? Thanks.
Aliases are used throughout pfSense and are really cool. They allow you to use a "name" for one or more IP addresses (hosts, networks, etc.). Anywhere you use the "name", then at runtime pfSense will go grab the underlying associated IP addresses and use them in the firewall rules. This way, if later on you need to edit an IP address or add or delete one, you just edit the Alias. Then the change is instantly applied to all the firewall rules (or in the case of PASS LISTS in Snort), the Snort pass list. That keeps you from having to manually search out all the places where that IP was used and then hand editing it in every instance.
You create Aliases under Firewall…Aliases as another user posted. Once created, you can then access the list of Aliases from several places in Snort where Aliases are allowed by clicking the VIEW button beside the fields. Anytime you see a textbox entry field with a red background, that means it will only accept an already-created Alias name as a valid parameter.
-
I have three questions about Snort.
- Auto-Flowbit Rules. There is a warning on the Auto-Flowbit Rules page “WARNING: You should not disable flowbit rules! Add Suppress List entries for them instead by clicking here.”
Do I understand correctly that this warning exists because disabling any of these rules may make other, enabled, rules not function?
A small comment: since a rule can be disabled right from the Alerts page, a user may never see the warning and disable an Auto-Flowbit Rule.
Is there some kind of rule of thumb, which rules are safe to disable and which must remain enabled and may only be suppressed?- Pass Lists. The Pass Lists page contains the following information, “The default Pass List includes the WAN IP and gateway, defined DNS servers, VPNs and locally-attached networks. Be careful, it is very easy to get locked out of your system by altering the default settings.”
By default there is no Pass List, so the default pass list must be hidden or something. Now, when I create a custom pass list, I realize that I need to add WAN IP and gateway, defined DNS servers, VPNs and locally-attached networks, to it by leaving the corresponding checkboxes on in the “Add auto-generated IP Addresses” section checked.
Now, what happens when something in this auto-generated section changes? For example, if I changed a DNS server address, will the pass-list automatically reference the new DNS address, or do I need to go to the pass list and re-save it?
- Memory usage. If I have plenty of memory on the system, will Snort be automatically allocated as much as it needs, or is there a setting somewhere to give Snort more memory for better performance? I already selected the “AC” search method, I am just wondering if I also need to dedicate the memory to Snort somehow, or it will grab the free memory automatically.
Thank you!
-
@G.D.:
I have three questions about Snort.
- Auto-Flowbit Rules. There is a warning on the Auto-Flowbit Rules page “WARNING: You should not disable flowbit rules! Add Suppress List entries for them instead by clicking here.”
Do I understand correctly that this warning exists because disabling any of these rules may make other, enabled, rules not function?
A small comment: since a rule can be disabled right from the Alerts page, a user may never see the warning and disable an Auto-Flowbit Rule.
Is there some kind of rule of thumb, which rules are safe to disable and which must remain enabled and may only be suppressed?First, auto-flowbit rules are those that set flowbits required by other rules that check those flowbits. So if you have enabled a rule that only triggers when some particular flowbit is set, but you neglected to enable the rule that sets that flowbit, then your enabled rule would never fire. The auto-flowbit logic takes care of this for you behind the scenes by looking at all your rules and finding each one that examines a flowbit. It then looks to make sure that at least one enabled rule exists that sets that flowbit. If not, it will enable all rules that set that flowbit for you.
So this is why you should suppress, rather than disable, flowbit rules that generate false positives. The Snort VRT folks are really good about including the "noalert" option with nearly all of their flowbit "set" rules so they don't generate alerts but do set the flowbit.
Finally, yeah it is possible to inadvertently disable a flowbit rule on the ALERTS tab if you don't pay attention.
@G.D.:
- Pass Lists. The Pass Lists page contains the following information, “The default Pass List includes the WAN IP and gateway, defined DNS servers, VPNs and locally-attached networks. Be careful, it is very easy to get locked out of your system by altering the default settings.”
By default there is no Pass List, so the default pass list must be hidden or something. Now, when I create a custom pass list, I realize that I need to add WAN IP and gateway, defined DNS servers, VPNs and locally-attached networks, to it by leaving the corresponding checkboxes on in the “Add auto-generated IP Addresses” section checked.
Now, what happens when something in this auto-generated section changes? For example, if I changed a DNS server address, will the pass-list automatically reference the new DNS address, or do I need to go to the pass list and re-save it?
The default Pass List does indeed contain those items that are default "checked" on the PASS LISTS tab. If any of those change, Snort will pick it up with the following important caveat – Snort reads these values only on a restart. So if something changes and Snort is not restarted, it will not see the changed item. pfSense is pretty good about restarting packages when important things happen (like DHCP giving a new WAN IP address, for example).
@G.D.:
- Memory usage. If I have plenty of memory on the system, will Snort be automatically allocated as much as it needs, or is there a setting somewhere to give Snort more memory for better performance? I already selected the “AC” search method, I am just wondering if I also need to dedicate the memory to Snort somehow, or it will grab the free memory automatically.
Thank you!
The answer here is "yes", Snort will take what it needs up to the max defined for parameters that have max memcap settings (these are on the PREPROCESSORS tab mostly). This is also why Snort can bring a box without a lot of RAM to its knees quickly in a high traffic situation.
Bill
-
Quick question, I have snort setup and running, but I find if I restart or shutdown or restart snort, the interface does not start automatically.
But if I click on it, it will start and operate.
Is this normal or did I miss some setting .
Thanks in advance
David
-
Depending on RAM and the amount of Rules enabled, Snort can take some time to Stop and Start.
When you Re-Start Snort from the Services Menu, it will restart all of the Enabled Interfaces Automatically. You dont need to click the start Interface again.
If you make configuration changes to a Snort Interface, Click the Green Enabled Interface and it can take some time to shutdown. You can refresh the page or click the snort interfaces tab until it stops. Then click it once again to re-enable.
From an SSH shell, you can run the following command to see if you have any duplicate PIDS for Snort. There should only be one PID per Enabled Interface. or from the Diagnostics:Command Prompt.
pgrep snort
If there are duplicate PIDS, you could run pkill snort and then Restart the Snort Services.
-
A couple more general questions about the Snort package:
-
I verified that a rule is not on the Auto-Flowbit list. I then clicked on the red “x” to disable it, and restarted the PFSense. The rule is now showing up with a yellow “x” (Rule forced to a disabled state). But Snort still triggers and blocks on this rule. What am I doing wrong?
-
Upon pfSense reboot the list of blocked hosts is erased. Is this correct behavior or is something broken in my install? If this is correct, is there an option somewhere to make the blocked hosts list survive reboot?
Thank you.
-
-
@G.D.:
- I verified that a rule is not on the Auto-Flowbit list. I then clicked on the red “x” to disable it, and restarted the PFSense. The rule is now showing up with a yellow “x” (Rule forced to a disabled state). But Snort still triggers and blocks on this rule. What am I doing wrong?
Is the alert in the "Alerts" Tab or the "Blocked" Tab? If its only in the Blocked Tab, it could be from a different rule?
Which Rule, can you provide any more details?
- Upon pfSense reboot the list of blocked hosts is erased. Is this correct behavior or is something broken in my install? If this is correct, is there an option somewhere to make the blocked hosts list survive reboot?
In the "Global Settings" tab there are options to configure the Block table. I don't recall this being an issue from my boxes that I use. I only have "Keep Snort Settings After Deinstall" setting enabled in that section. I also set the remove Blocks to "Never"
Are you running pfSense on an embedded machine or Full Blown Hardware?
-
The rule is “1:2017015 ET POLICY DropBox User Content Access over SSL.” It shows up both on the Blocked tab, and on the Alerts tab with a yellow “x” next to it.
I am running the symmetric multiprocessing kernel on full-blown hardware.
Thank you.
Update: I noticed I could not trigger the rule anymore after a while. Now I re-enabled the rule, and restarted Snort, but even though the interfaces went green, I still cannot trigger the rule.
Is just that something rebuilds on the background and the enabled/disabled rules start functioning or not functioning after a while, even after interfaces show running?
-
@G.D.:
The rule is “1:2017015 ET POLICY DropBox User Content Access over SSL.” It shows up both on the Blocked tab, and on the Alerts tab with a yellow “x” next to it.
I am running the symmetric multiprocessing kernel on full-blown hardware.
Thank you.
Update: I noticed I could not trigger the rule anymore after a while. Now I re-enabled the rule, and restarted Snort, but even though the interfaces went green, I still cannot trigger the rule.
Is just that something rebuilds on the background and the enabled/disabled rules start functioning or not functioning after a while, even after interfaces show running?
Enabling or disabling rules should only take a few seconds (well, maybe as long as minute or so if you have a lot of rules, a lower horsepower CPU and not much RAM). When you click the icon on the ALERTS tab to disable a rule, the Snort process is sent a "reload configuration" command. This is a kind of warm restart where Snort reads all the rules again and updates its in-memory copy.
Bill
-
If you see this behaviour again, run a shell cmd
[ pgrep snort ]
and ensure that you only have pids for the number of enabled snort interfaces.