Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort stops by itself

    Scheduled Pinned Locked Moved
    IDS/IPS
    8
    22
    8.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      manhattanboy
      last edited by

      @Ip:

      @fearnothing:

      I had a similar issue, but it was solved by using the AC-BNFA or AC-BNFA-NQ memory setting. It was a result of snort rules updates causing the process to attempt to allocate more memory than was available.

      Now I use AC-BNFA-NQ on all interfaces and Snort has not stopped yet.

      I was having this problem as well, so thank you for the fix.  :D
      Plenty of memory and CPU power in the pf box (8 gigs and 8 cores), nonetheless SNORT does seem happier with this setting change, but it is strange that random stops are occurring with other settings.

      1 Reply Last reply Reply Quote 0
      • I
        ischilling
        last edited by

        Thanks for the AC-BNFA-NQ this seems to help us here as well.

        I want to contribute something I observed and can reproduce:

        Situation

        • HW (old PC) based pfSense in a branch office

        • Win 2012 R2 U1 based pfSense in our DC

        Snort

        • HW based is running stable with AC-NQ even though it has only 2 Cores and 8GB memory at all

        • Hyper-V based is running on 12 Cores and 16GB memory, but Snort failed with AC-NQ, the AC-BNFA-NQ does the trick, now it can be not only activated (about 2minutes) faster on all interfaces, instead of one only, it now can be activated on all interfaces and it is running stable now for 3d, usually it turned itself off every 2h to 6h.

          A strange side effect on IPSec stability?  :o

          We reported https://redmine.pfsense.org/issues/4790 (Titel: Established IPSec Tunnel refused transporting further traffic out of sudden.. it than refuses any rule based traffic to anywhere!).

          Even though it should be impossible from my point of view, we observed that since the only configuration change on both tunnel ends is the Snort thing it seems to be an obvious side effect.

          This seems to be fixed now as well - and I find this is 'a bit' disturbing..

        –-
        doing something right means no-one takes notice.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post