Snort issue



  • Hi all, I have an issue that I am not sure exactly how to put it into context. Essentially, I have pfsense running at home with snort and upon initial install and setup, everything runs awesome but after a few days the speed at which pages open begins to slow down to the point that the internet is unusable unless I restart my pfsense box. After doing restarting the though, the web will slow down to non existent within minutes. If I uninstall, snort all together, then everything works as it should and pages load really fast. This issue, in my opinion started with the pfsense 2.2.3 release and continued into 2.2.4. The best I have seen my box run with snort it run was on 2.2.2 and I had zero issues but since upgrading I am forced to not run snort which I find rather scary. Not sure why or how the pfsense version could possible impact snort but I do know that when setting snort exactly as I did in 2.2.2 forward into 2.2.3 and 2.2.4, I ma having this issue. I will be happen to pull some logs if necessary although my notion over the whole problem is the buffer is filling till it cannot hold anymore which is blocking the web all together; I may be wrong with this assumption.

    My usual setup, I prefer to run both available free snort VRT rules, free emerging threat rules as well as the openAPP_ID processor coupled with flowbits running. All other setting basically set as default except the setting that replaces sensitive information with X's; which I enable. These setting worked great when installed on 2.2.2 but in the latest releases, ark choking the life out of the internet.

    Anyone else experienced this?



  • What kind of hardware is in the box?  Also, is this a full install or does it use a NanoBSD image with CF?

    Try running top to see if Snort is actually chewing up CPU time.  I have not seen a similar issue reported here with Snort chewing up the web speed.

    Bill



  • I have pfsense running on a rack mounted chassis consisting of an ASRock Z87 Extreme 4 motherboard with a socket 1155 Pentium i5 processor at 3.5 GHz, 4 gigs DDR 2 ram, 500 gb hard drive and 3 intel PCIE 1gb NIC's. I have it setup as a full install. All the parts mentioned above with the exception of the NIC's I acquired from doing PC upgraded for coworkers.



  • That hardware should be more than sufficient unless you have like a 10 Gig connection or something… ;).

    When you say the internet "slows down to non-existent within minutes", do you mean web sites just stop loading completely or do you mean they load super slow like maybe at 14.4K modem speed?  Have you checked to see if you are getting alerts and corresponding blocks on sites?  If a site is blocked, then obviously it won't load.

    How about trying some of the popular speed test sites and posting the results back here.

    Bill



  • Mr. Bill,

    Sorry for the long delay in getting back to this posting. There was something I wanted to try and watch performance of a week or so prior to getting back with you. Essentially, I wanted to start with a clean slate. In the past, when upgraded to new version of PFSENSE, I restored a backup vs going and setting everything from scratch. One would think that this should work out but what I have done in a nutshell proves the opposite.

    I started with a fresh install of 2.2.4 by formatting the disk and installing to remove any previous install fragments. This hasn't completely solved my issue but things a better and I noticed that the DNS server is FINALLY running correctly; never could get it going properly. After installing the OS, I configured the general settings, followed by the advance settings. I then added a third interface for use with my wireless router as an access point. I enabled UpNp for Microsoft devices and enabled both DHCP servers for my LAN and WiFi interfaces. After that I added rules for to the WiFi interface to allow traffic for the applicable ports and both tunnel traffic as they should. I let that run for half a day to monitor and observed no issues. After that I installed snort and let it go half a day with setting it up to make sure that adding the package somehow didn't modify needed settings. The following day, I setup snort using the connectivity setting with both snort and VRT rules, Emerging threat rules and the APP ID processor rules. Since then; roughly 5 days ago, it has been running with this setup with the exception of this past Sunday when I bumped it to the Balanced setting. I had the issue initially but it went away while the internet was slightly degraded so I set it back to connectivity. I haven't set the sensitive data option yet but I am looking to do that very soon. I have a feeling that my issue lies somewhere with the balanced setting or the sensitive data processor but I am not sure.

    In PFSENSE 2.2.2, I ran snort set on security with while using the sensitive data processor and auto-block host without any issue while using backup to restore the system that were made on PFSENSE 2.2.0 and an older snort. Not sure what to do now.



  • I don't know if it is applicable to yours specific NICs, but I've seen other posts in the Upgrades and General sub-forums about folks needing to manipulate mbuf settings for some network cards with the newer pfSense versions.  Have you checked out those threads?

    The difference between the "Connectivity", "Balanced" and "Security" settings in Snort is the number of enabled rules.  "Connectivity" enables the least number of rules while "Security" enables the most number of rules (from the VRT selection).  What really matters in terms of throughput is how many total rules Snort has to evaluate each packet against.

    There really is no big difference in Snort from version 2.1.x of pfSense all the way up to do today.  There have been some updates/changes with NIC drivers, though, coming from the FreeBSD updates.  Maybe some NICs and the newer libpcap library don't play well ???  If you can definitely tie your issues to Snort running, and then have no issue with Snort not running, then I would start by disabling rule categories and add them by back incrementally.  You might just be hitting an overload point with number of evaluated rules.

    Bill



  • Mine are Intel EXPI9400PTBLK NIC cards

    http://www.intel.com/content/www/us/en/network-adapters/gigabit-network-adapters/pro-1000-pt-server-adapter-brief.html

    Bought three of them for $9.99 each off ebay. All working awesome.