Snort stops working after 2.2 upgrade
-
Hi,
I've upgraded from 2.1.5 to 2.2 and experiencing difficulties with snort. It worked fine prior to the 2.2 upgrade for over a year.
The issue is, snort interface is shown as enabled, and the service status shows snort running. But snort doesn't generate any alerts over a period of time.Normally the memory utilization when snort is working is around 50-60%. After the 2.2 upgrade, over time this drops to around 10-12%. Which is same memory utilization if snort was not running. This is the only way to tell that it's stopped as the service and the interface says snort's working fine.
If I restart snort, it seems to work fine for a couple of hours before again the memory utilization drops and nothing happens after.
I've attached the RRD graphs for memory to show this happening (First 2hrs of the 8hr graph is before the upgrade, Upto thursday 12pm on the 1day graph is before the upgrade. The blip on the 1day graph at thursday 12am is snort rule update when it was working fine).
Could someone kindly assist me to fix this.
Regards,
Niv.Edit: pfsense is running on a VM in Esxi. 2x3.5ghz cores and 8GB of memory allocated to pfsense.
![status_rrd_graph_img.php 2.png](/public/imported_attachments/1/status_rrd_graph_img.php 2.png)
![status_rrd_graph_img.php 2.png_thumb](/public/imported_attachments/1/status_rrd_graph_img.php 2.png_thumb) -
After running the system for a period of time and the memory utilization has dropped, run this command to see if any Snort processes exist:
ps -ax |grep snort
You should see one process for each enabled Snort interface. If you also use Barnyard2, then you will see a barnyard2 process as well for each Snort interface.
Have you looked in the system log to see if any Snort related messages have been logged? Post those if you find any.
Snort should have no issues running on pfSense 2.2. I and many others are running the current Snort package without problems on pfSense 2.2.
Bill
-
Thanks for the reply Bill,
Since I made this post, snort has actually thrown a few alerts. (but over a day it is usually a lot more).. And things like running a bit torrent client doesn't trigger anything still. I had to turn off snort to run a bittorrent client before the upgrade. All the pre processors are enabled, and as far as I can see, there is no change to the config from before the pfsense upgrade. Snort is using IPS policy "Security".
I've attached the screenshot of ps and top showing snort running.
Does it behave the same way in your system with 2.2? as in all of snort's memory become inactive but not free.
Thanks again for helping me!
![ps and top.png](/public/imported_attachments/1/ps and top.png)
![ps and top.png_thumb](/public/imported_attachments/1/ps and top.png_thumb) -
I have not really noticed a change in the amount of memory used by Snort since I did the 2.2 upgrade. I do not enable any extra rules besides those already default enabled in the VRT package. I run the "balanced policy" on my LAN and a handful of ET-Open rules on my WAN (just for the heck of it, they don't really accomplish anything because my firewall is default deny inbound for pretty much everything).
Bill
-
I am having the exact same issue as you since the upgrade to 2.2. I can stop/start the snort process, and once it is done loading I sit at ~43% memory usage on my 4GB system. It almost immediately starts "losing" memory until the system is at 8% or so memory usage. Just FYI, with snort not loaded it uses 5% memory.
This is reflected in my RRD logs since snort reloads itself every 24 hours due to list updates - you see it constantly gaining free memory over time in a definite pattern. I've checked the logs but I'm not sure what I should be looking for - nothing really seems to be standing out.
I'm running the packages:
BandwidthD
OpenVPN Client Export Utility
RRD Summary
SnortThis is running on this Atom board:
http://www.supermicro.com/products/motherboard/ATOM/ICH9/X7SPE-HF-D525.cfm
With 4gb of memory.I'm wondering if I should do a fresh install and import my config, but I am wondering if that would put me right back in the same situation that I am in currently.
-
Make sure that the Interfaces "Search Method" are set to "AC-BNFA-NQ" which is the better memory matcher algorithm.
-
Are you saying Snort is not working, or are you just fretting about the change in displayed free memory? If Snort is working, I would say don't worry about the free memory. There could be several reasons for that not related to Snort. While Snort is live reloading rules (for example, after a nightly rule update) it will possibly use up to twice as much memory as normal since it temporarily holds two complete copies of the configuration in memory (including rules). It then switches the running Snort process over to use the newly built second in-memory configuration and then destroys the old configuration. That will account for some of the memory decrease.
Bill