Snort keeps stopping



  • Hey all,

    If this is a known topic sorry for missing it, I did a search but not really sure what I am looking for…

    I have a Soekris 5501 running the latest 2.0.3 PFsense and Snort installed.

    When I go into the WAN setup and in the Snort Interface, WAN instance I setup then try to enable rules (usually all or even specific) it shuts down my snort engine with a terminate signal.

    Not sure what that means, I am not seeing excessive memory usage or CPU being maxed.

    Is this configuration just not able to handle any rules?

    Sorry again for what is probably going to turn out to be a newbie question but I am still trying to figure our SNORT in PFsense.


  • Banned

    Logs?



  • Not seeing anything specific:
    Apr 26 01:33:38 php: /snort/snort_rulesets.php: Building new sig-msg.map file for WAN…
    Apr 26 01:32:48 php: /snort/snort_rulesets.php: Resolving and auto-enabling any flowbit-required rules for WAN...
    Apr 26 01:23:08 dnsmasq[44062]: read /etc/hosts - 16 addresses
    Apr 26 01:19:50 dnsmasq[44062]: read /etc/hosts - 16 addresses
    Apr 26 01:18:36 dnsmasq[44062]: read /etc/hosts - 16 addresses
    Apr 26 01:14:57 dnsmasq[44062]: read /etc/hosts - 16 addresses
    Apr 26 01:13:51 dnsmasq[44062]: read /etc/hosts - 16 addresses
    Apr 26 01:13:34 dnsmasq[44062]: read /etc/hosts - 16 addresses
    Apr 26 01:11:32 dnsmasq[44062]: read /etc/hosts - 16 addresses

    Apr 26 01:08:39 dnsmasq[44062]: read /etc/hosts - 16 addresses

    Apr 26 00:58:31 dnsmasq[44062]: read /etc/hosts - 16 addresses
    Apr 26 00:51:16 dnsmasq[44062]: read /etc/hosts - 16 addresses
    Apr 26 00:48:32 php: /snort/snort_rulesets.php: Updating rules configuration for: WAN …
    Apr 26 00:48:30 check_reload_status: Syncing firewall
    Apr 26 00:48:18 check_reload_status: Syncing firewall
    Apr 26 00:47:09 php: /snort/snort_rulesets.php: Building new sig-msg.map file for WAN...

    Apr 26 00:46:20 php: /snort/snort_rulesets.php: Resolving and auto-enabling any flowbit-required rules for WAN...



  • @Honeybadger:

    Not seeing anything specific:
    Apr 26 01:33:38 php: /snort/snort_rulesets.php: Building new sig-msg.map file for WAN…
    Apr 26 01:32:48 php: /snort/snort_rulesets.php: Resolving and auto-enabling any flowbit-required rules for WAN...

    Apr 26 00:58:31 dnsmasq[44062]: read /etc/hosts - 16 addresses
    Apr 26 00:51:16 dnsmasq[44062]: read /etc/hosts - 16 addresses
    Apr 26 00:48:32 php: /snort/snort_rulesets.php: Updating rules configuration for: WAN …
    Apr 26 00:48:30 check_reload_status: Syncing firewall
    Apr 26 00:48:18 check_reload_status: Syncing firewall
    Apr 26 00:47:09 php: /snort/snort_rulesets.php: Building new sig-msg.map file for WAN...

    Apr 26 00:46:20 php: /snort/snort_rulesets.php: Resolving and auto-enabling any flowbit-required rules for WAN...

    The entire log sequence does not appear to be shown.  There should be a line saying something like "…SnortStartup START...".  It will have some other stuff printed out as well.

    Post back which specific rule types you are using (Snort VRT, Emerging Threats, Snort GPLv2 or combination thereof).

    Try things really simple for a test.  Enable no rules.  You should get a warning icon on the Snort Interfaces screen, but ignore it and start Snort anyway.  Make sure it starts properly (the little icon under the Snort column will change to a red X.  If that works, then start slowly adding a few rules to see how things progress.  Hopefully that will give us some clues.

    Snort wants a bare minimum of 1 GB of available RAM to run well with a decent rule set.  I run mine with 4G of RAM.

    Bill



  • Thanks,

    After your reply it was very apparent my poor Soekris is woefully under powered.

    I am pruning the rule for a home network.

    What rules do you guys recommend for just a home network.

    I am thinking DNS (for Phishing), emerging threats and exploits.

    Any thoughts?

    Thanks!


  • Banned

    I had to up my RAM to 4GB to not have it stopping after rules update because it was out of swap space.

    I run a lot of rules…



  • Ya, I understand that.

    Can't add ram so I am pruning rules.



  • @Honeybadger:

    Ya, I understand that.

    Can't add ram so I am pruning rules.

    If you are using the Snort VRT rules with an Oinkcode, then try enabling just the IPS Policy - Connect in the drop down on the Rules tab.  That is a good basic set of rules.  Do not add any others (that is, leave all the Emerging Threats and the Snort GPLv2 rules unchecked).  See if Snort will start then.

    Bill


Log in to reply