Snort keeps shutting down



  • We have a pfSense 1U C2758 Hardware Appliance as our main firewall/router for our small office network.
    Our internet connection is a PPPoE connection and we use several VLAN's with port trunking.

    I have a pretty basic snort setup that listens only on the WAN interface. I have followed this https://forum.pfsense.org/index.php?topic=61018.0 tutorial/guide on setting up Snort on pfSense.

    It seems snort works fine for a few days. Then when I go and check on it in the services page it is showing it has shutdown. Sometimes it might restart after a few hours. Othertimes its down for good.

    I have set Snort to use AC-SPARSEBAND's so it doesn't use too much RAM, it hovers around 50% memory usage. I'm happy to attach the firewall log but it honestly seems like there is nothing useful in it.

    Any suggestions/common problems?



  • @GusBricker:

    We have a pfSense 1U C2758 Hardware Appliance as our main firewall/router for our small office network.
    Our internet connection is a PPPoE connection and we use several VLAN's with port trunking.

    I have a pretty basic snort setup that listens only on the WAN interface. I have followed this https://forum.pfsense.org/index.php?topic=61018.0 tutorial/guide on setting up Snort on pfSense.

    It seems snort works fine for a few days. Then when I go and check on it in the services page it is showing it has shutdown. Sometimes it might restart after a few hours. Othertimes its down for good.

    I have set Snort to use AC-SPARSEBAND's so it doesn't use too much RAM, it hovers around 50% memory usage. I'm happy to attach the firewall log but it honestly seems like there is nothing useful in it.

    Any suggestions/common problems?

    Snort is a pfSense package, so it's better to post questions related to it in the Packages sub-forum.  You will get quicker action posting there.  I just happened to notice your post in this sub-forum when I came here for something else.

    What version of pfSense are you running and what version of the Snort package?

    What pfSense platform are you using:  (1) an regular install to a HDD or SSD, or (2) and NanoBSD install on flash?

    It is highly recommended that you use AC-BNFA or AC-BNFA-NQ for the pattern matcher.  Any other setting can lead to issues.

    Bill



  • @bmeeks:

    @GusBricker:

    We have a pfSense 1U C2758 Hardware Appliance as our main firewall/router for our small office network.
    Our internet connection is a PPPoE connection and we use several VLAN's with port trunking.

    I have a pretty basic snort setup that listens only on the WAN interface. I have followed this https://forum.pfsense.org/index.php?topic=61018.0 tutorial/guide on setting up Snort on pfSense.

    It seems snort works fine for a few days. Then when I go and check on it in the services page it is showing it has shutdown. Sometimes it might restart after a few hours. Othertimes its down for good.

    I have set Snort to use AC-SPARSEBAND's so it doesn't use too much RAM, it hovers around 50% memory usage. I'm happy to attach the firewall log but it honestly seems like there is nothing useful in it.

    Any suggestions/common problems?

    Snort is a pfSense package, so it's better to post questions related to it in the Packages sub-forum.  You will get quicker action posting there.  I just happened to notice your post in this sub-forum when I came here for something else.

    What version of pfSense are you running and what version of the Snort package?

    What pfSense platform are you using:  (1) an regular install to a HDD or SSD, or (2) and NanoBSD install on flash?

    It is highly recommended that you use AC-BNFA or AC-BNFA-NQ for the pattern matcher.  Any other setting can lead to issues.

    Bill

    Doh, I was trying to find the right forum for it and completely skipped over Packages sub. Any chance a moderator can move this there?

    Pfsense Version Info:
    2.1.5-RELEASE (amd64)
    built on Wed Aug 27 15:14:26 EDT 2014
    FreeBSD 8.3-RELEASE-p16

    Snort Version Info:
    Installed: 2.9.6.2
    pkg v3.1.5

    Hardware is a 80GB SSD, so regular install I think. I'm pretty sure I was already running AC-BNFA and it still didn't work well.



  • There is a newer version of the Snort package available now.  It contains some bug fixes for multiple starts of the Snort process.  Try the upgrade and see how that works for you.

    Check on the GLOBAL SETTINGS tab down near the bottom that the "save settings on uninstall" checkbox is checked before you upgrade.  That way all of your settings will be preserved and migrated to the new version.  The default now is for that box to be checked, but just in case, make sure it is.  If not, check it and then save the change before upgrading the package.

    You can find the new package on System > Packages > Installed Packages.  The upgrade should show up there.

    Bill



  • Reporting back after 11 days running on AC-BNFA-NQ. Seems to be stable and hasn't stopped working yet.