New Snort Broken… But that is the Good News!

  • Ok! the new version installed just fine! Except for the errors and lack of function. Now this is on a production box so I uninstall it till I have time to test and resolve this issue. Now running parallel to this issues but "NOT" thought to be related was one with CITRIX. Several clients installed new services that required the use of a Citrix Client to remote servers.

    The performance was very poor, the bandwidth was not the issue. So I look to see if pFsense is causing the issue or the that the Microsoft Server 2003 was the issue. Holes were punched with all firewall and all looked good… but still crap performance. Slap in some Public IP's and bypass all firewalls and bang all is good.

    Perplexed by this situation I let it sit for a day and do a little reading to see if I was missing anything. During this time I do the Snort update it take a crap, I pull it out and run pFsense with out and now Citrix works like a charm!

    So please tell me how Snort was causing this performance issue...  :-\

  • Everyone is reading this question but know one has a thought?  :-\

  • sorry don't know much about snort, only been using ofsense for the last 2 weeks, hopefully with more use will find how snort works.

  • I had a similiar problem.  I had enable some of the snort filtering rules and actually limited my access into my wirewall from the inside and outside.  At that point I could not figure out what I had done so I rebuillt.

    A little wiser, I reinstalled snort and have added one or two rules back at a time making note of exactly what I added and what affects it has on the system.

    I use Terminal Services with no issues as you describe.  You need to be very careful on the rules that you are using.

    The other thing is you might need to look at the hardward that you are using to see if you are creating too much load on the firewall, thus creating the performance issue you are experiencing.  I have done that as well.

    I been running pfsense for a good while now and running M0n0Wall, Symantec Enterprise before that.  You can make one change and end up, creating a overload situation on the firewall by adding a additional service.  I added one of the monitoring application(NTOP) and it was impressive but ended up eating alot resources and keeping 2 processor cores at 50% utilization.  That cause web and mail failures, poor performance via the firewall.

    I also so ran into IPSEC vpn issues, as well as VOIP problems.

    I ended up simplifying my snort rules and locking down the IPSEC rules, removed NTOP.  This corrected my errors and I have had no issues since.

    RC ;D

Log in to reply