Snort doesn't generate alerts on 2 interfaces

NelsonLopes

2.1-RELEASE (i386) 
built on Wed Sep 11 18:16:50 EDT 2013 
FreeBSD 8.3-RELEASE-p11

Snort 2.9.4.6 pkg v. 2.6.0

I have Snort running on 4 WAN interfaces on pfSense, 2 static (WAN1 & WAN2) and 2 pppoe(WAN3 & WAN4). All of them have same rules, although only the 2 pppoe generates alerts. Not sure if it matters but WAN1 and WAN2 are in the same NIC. We didn't use this config. on 2.0.3 so can't say it was working before.

Also, we have loadbalacing working, so we do have traffic on all interfaces…

What am I missing here?

Supermule

Is traffic flowing through all interfaces?

NelsonLopes

@Supermule:

Is traffic flowing through all interfaces?

Yes, it is. I'm checking all traffic graphs on all interfaces (on Dashboard).

Supermule

Can you post trafiic graphs and RRD graphs?

NelsonLopes

I'll try, it says Restrictions: 15 per post, maximum total size 300KB, maximum individual size 250KB tho…

As you can see there's more traffic on WAN1 & WAN2, which there is no alert than WAN3 & WAN4

![WAN1 Traffic 1 Month 1 Hour Average.png](/public/imported_attachments/1/WAN1 Traffic 1 Month 1 Hour Average.png)
![WAN1 Traffic 1 Month 1 Hour Average.png_thumb](/public/imported_attachments/1/WAN1 Traffic 1 Month 1 Hour Average.png_thumb)
![WAN2 Traffic 1 Month 1 Hour Average.png](/public/imported_attachments/1/WAN2 Traffic 1 Month 1 Hour Average.png)
![WAN2 Traffic 1 Month 1 Hour Average.png_thumb](/public/imported_attachments/1/WAN2 Traffic 1 Month 1 Hour Average.png_thumb)
![WAN3 Traffic 1 Month 1 Hour Average.png](/public/imported_attachments/1/WAN3 Traffic 1 Month 1 Hour Average.png)
![WAN3 Traffic 1 Month 1 Hour Average.png_thumb](/public/imported_attachments/1/WAN3 Traffic 1 Month 1 Hour Average.png_thumb)
![WAN4 Traffic 1 Month 1 Hour Average.png](/public/imported_attachments/1/WAN4 Traffic 1 Month 1 Hour Average.png)
![WAN4 Traffic 1 Month 1 Hour Average.png_thumb](/public/imported_attachments/1/WAN4 Traffic 1 Month 1 Hour Average.png_thumb)

Supermule

Post a picture of the snort interfaces….

NelsonLopes

Here you go:

![Snort Interfaces.png](/public/imported_attachments/1/Snort Interfaces.png)
![Snort Interfaces.png_thumb](/public/imported_attachments/1/Snort Interfaces.png_thumb)

Supermule

post a picture of the alerts section for all interfaces…

NelsonLopes

WAN1 & WAN2 are totally empty

WAN3 & WAN4 have a lot of

(ssp_ssl) Invalid Client HELLO after Server HELLO Detected

and some

 (spp_frag3) Fragmentation overlap

Supermule

Hmmmmm

Supermule

Delete Wan2 and Wan4 snort interfaces and see if it oicks up on Wan1.

If not delete all and remove package and reinstall. THen begin with only one interface that snort listens to. Then add one more at a time while you get alerts on all interfaces.

How is your memory coming along and are you swapping on the harddrive?

NelsonLopes

@Supermule:

Delete Wan2 and Wan4 snort interfaces and see if it oicks up on Wan1.

If not delete all and remove package and reinstall. THen begin with only one interface that snort listens to. Then add one more at a time while you get alerts on all interfaces.

I'll be doing that shortly, thank you for your help.

@Supermule:

How is your memory coming along and are you swapping on the harddrive?

On heavy load my memory goes up to 85%, and yes, I'm using swap (it's 39% mem. and 14% swap atm)

Supermule

Is Pfsense running physical or virtual?

NelsonLopes

@Supermule:

Is Pfsense running physical or virtual?

Physically.

bmeeks

Are these extra WAN interfaces part of a CARP or multi-WAN setup? Is there perhaps some asymmetrical routing going on?

If so, this could trip up Snort as some alerts depend on flowbits set by previous traffic. If that previous traffic was seen on a "different interface" (as in one of the other WAN pathways), then the alert with that set flowbit dependency would not fire. Not saying this is your issue, but it is something to be considered.

Another possibility, if any asymmetrical routing is happening, is the stream5 preprocessor can fail to correctly reassemble streams if it does not see all of the traffic. Remember that Snort really runs as totally separate and autonomous processes – one per interface. So it's basically like having physically separate computers running Snort. Any weirdness with routing between those multiple WANs could trip up those independent Snort processes.

Bill