Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Share Oinkmaster code?

    Scheduled Pinned Locked Moved IDS/IPS
    11 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfcode
      last edited by

      Hi,

      Can Snort and Suricata share same Oinkmaster code?  It seems that setting up Snort and Suricate on the same pfSense box are having weired behavior, not sure if its due to use the same code or not.

      Release: pfSense 2.4.3(amd64)
      M/B: Supermicro A1SRi-2558F
      HDD: Intel X25-M 160G
      RAM: 2x8Gb Kingston ECC ValueRAM
      AP: Netgear R7000 (XWRT), Unifi AC Pro

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        About 300% sure your "weired behaviour" has nothing to do with Oinmaster codes and everything to do with overloading your poor computer with two huge and potentially conflicting resource hogs.

        1 Reply Last reply Reply Quote 0
        • P
          pfcode
          last edited by

          Well, when I setup Suricata, its not even enabled yet, but the Snort WAN interface was auto disabled for NO REASON.  I don't think my Supermicro C2558 + 160 gb SSD + 16 gb ecc ram is a poor computer either.

          Release: pfSense 2.4.3(amd64)
          M/B: Supermicro A1SRi-2558F
          HDD: Intel X25-M 160G
          RAM: 2x8Gb Kingston ECC ValueRAM
          AP: Netgear R7000 (XWRT), Unifi AC Pro

          1 Reply Last reply Reply Quote 0
          • P
            pfcode
            last edited by

            Since the Snort LAN interface is working fine, I'm starting to think that it could be one of the ET rules that disabled WAN interface when Snort was restarted after an auto ruleset update.

            This earlier morning at 2:00am, an auto ruleset update doesn't disable Snort WAN interface because Snort wasn't restarted. This afternoon at 2:00pm, an auto ruleset auto update was triggered again, this time there was a new set of Snort GPLv2 Community Rules posted, so Snort get restarted, and the WAN interface got disabled afterward.

            BUT, why enable it MANUALLY make the interface worked?

            Release: pfSense 2.4.3(amd64)
            M/B: Supermicro A1SRi-2558F
            HDD: Intel X25-M 160G
            RAM: 2x8Gb Kingston ECC ValueRAM
            AP: Netgear R7000 (XWRT), Unifi AC Pro

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              You posted zero information about the configuration in place, no logs, nothing.  "Weird behaviour" is not a useful description of a problem. Frankly, it's useless. This won't go anywhere as it is. Before any further troubleshooting, you should perhaps post why do need to run both these things in the first place. Hopefully also you are aware that you cannot have both of these running in blocking mode at the same time.

              1 Reply Last reply Reply Quote 0
              • P
                pfcode
                last edited by

                @doktornotor:

                You posted zero information about the configuration in place, no logs, nothing.  "Weird behaviour" is not a useful description of a problem. Frankly, it's useless. This won't go anywhere as it is. Before any further troubleshooting, you should perhaps post why do need to run both these things in the first place. Hopefully also you are aware that you cannot have both of these running in blocking mode at the same time.

                No logs because of I turned off the log.  I want to try Suricata, and I knew that both can't be running at same time, so I was setting Suricata up without enabling all its interfaces.  Meanwhile the Snort can be still running until Suricata is set and enabled.  But for some reason, when I set up the rulesets for Suricata wan interface, the Snort wan interface was disabled.

                Release: pfSense 2.4.3(amd64)
                M/B: Supermicro A1SRi-2558F
                HDD: Intel X25-M 160G
                RAM: 2x8Gb Kingston ECC ValueRAM
                AP: Netgear R7000 (XWRT), Unifi AC Pro

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  OK, so you are troubleshooting by turning off logging. Excellent. Good luck.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfcode
                    last edited by

                    @doktornotor:

                    OK, so you are troubleshooting by turning off logging. Excellent. Good luck.

                    The log was off when I setup the Suricata and got the problem.  I'm not saying that I'm troubleshooting by turning off logging,  I turned the log on but Snort was disabled already.

                    Release: pfSense 2.4.3(amd64)
                    M/B: Supermicro A1SRi-2558F
                    HDD: Intel X25-M 160G
                    RAM: 2x8Gb Kingston ECC ValueRAM
                    AP: Netgear R7000 (XWRT), Unifi AC Pro

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @doktornotor is correct.  You should not generally run both Snort and Suricata on the same machine.  They share lots of things and there are places where they can conflict and step on each other.  I recommend users choose one or the other, but not both.  You can run both, but only one can be in blocking mode!  Just realize that running both will be a huge RAM drain.  Running both can also suck up a lot of CPU time.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • P
                        pfcode
                        last edited by

                        @bmeeks:

                        @doktornotor is correct.  You should not generally run both Snort and Suricata on the same machine.  They share lots of things and there are places where they can conflict and step on each other.  I recommend users choose one or the other, but not both.  You can run both, but only one can be in blocking mode!  Just realize that running both will be a huge RAM drain.  Running both can also suck up a lot of CPU time.

                        Bill

                        Are you guys telling me that I need to uninstall Snort first, or stop Snort service before installing Suricata?,  I don't think that I was saying I ran them both. What I said was that I was setting up Suricata without activating it, Suricata service was not running. Snort wan interface was auto disabled when I was setting up the Suricata wan interface, again at that time Suricata service was not running.

                        Release: pfSense 2.4.3(amd64)
                        M/B: Supermicro A1SRi-2558F
                        HDD: Intel X25-M 160G
                        RAM: 2x8Gb Kingston ECC ValueRAM
                        AP: Netgear R7000 (XWRT), Unifi AC Pro

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned
                          last edited by

                          Yeah, we are telling you to pick one and use it… Other than that, you still provided ZERO information to debug any issues.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.