Snort not running on interfaces at startup
-
When I start up my pf box snort is not automatically running on my WAN interface but is on my LAN. It also takes 10+ minutes to start it up on WAN. How do I go about diagnosing this issue and resolving it?
-
You might have more Enabled Categories and/or Enabled Rules on the WAN interface causing it to take more time to load up?
-
It won't load after startup without me manually starting it on the WAN interface no matter how long I wait.
-
What Memory setting are you using? Try this setting for both interfaces.
AC-BNFA-NQ
Also go to services and disable snort to kill all open snort pids. Then try to re-enable with the new memory setting.
You can run this from the shell to see how many process PIDS are running
pgrep snort
There should only be one pid per enabled snort interface.
-
AC-NQ for WAN, AC-BNFA-NQ for LAN. I'll have to check and see if the memory setting makes any difference.
-
okay, AC-BNFA-NQ on both interfaces seemed to solve the issue of snort not starting on both interfaces automatically upon startup. Why could it not working on AC-NQ?
-
This memory manager setting is more efficient and seems to perform better overall. It also depends on your hardware especially how much RAM you have available for Snort.
-
24 gig RAM, possibly a memory setting in the BIOS is affecting it? though if AC-BNFA-NQ performs the best, maybe I should leave it.
-
24 gig RAM, possibly a memory setting in the BIOS is affecting it? though if AC-BNFA-NQ performs the best, maybe I should leave it.
It's been stated here on the forum several times by several folks that the best setting is AC-BNFA-NQ. Some of the other settings can quickly chew up RAM unless lots of optimizations are done, but the Snort package does not support in the GUI all the fine-tuning required.
Bill