Cannot enable snort on interface (it shows red cross)

Snailkhan

hi,
few days ago i made a pfsense box from an atom thinclient for my home to get my hands dirty with it.
box specs are 1gb ram/4gb usb nanobsd latest stable / atom n270.
my network consists of 3-4 users and my wan connection speed is 4mbps. cpu load when snort was running was hardly .1 for 15 minutes ..

initially all was ok with snort it was running fine and working . but then the pc got some problem with a wifi card and no display on screen . i replaced the wifi mini pcie card and then for the sake of practice . reset my settings to default.
i configured pppoe /nat/dhcp/multiplessids/firewall etc . and installed snort . now i am unable to make it run.

i have followed a lot of videos on youtube and some articles like below but at interface level it still shows red mark instead of green play icon.(it takes a lot of time for the gui page to load  when i slect the start at interface level i.e. the little circle keeps rotating in chrome and says waiting for 192.168.4.10 ,,, while the status page shows cross next to interface in snort)

tried a lot of reboots. removal of interface from snrot and adding it again. redownloading updates. and disabling some . no luck.

at services level snort is shown as running. i have selected it to log to system log and i do not see anyting suspicies except below logs.
articles i followed.

when i tried to enable it on lan interface i wasnt able to access its gui ..

https://forum.pfsense.org/index.php?topic=61018.0

Please advise what can cause it .. ?

Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/os-windows.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/server-webapp.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/exploit-kit.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/file-image.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/file-multimedia.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/file-other.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/malware-cnc.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/malware-other.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/netbios.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/os-linux.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/os-other.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/policy-social.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/protocol-nntp.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/protocol-other.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/protocol-tftp.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/server-apache.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/server-iis.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/server-mail.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/server-mysql.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/server-oracle.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/server-other.so...
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/browser-ie.so...
Nov 16 02:42:34	snort[29937]: Loading all dynamic detection libs from /usr/pbi/snort-i386/lib/snort_dynamicrules...
Nov 16 02:42:34	snort[29937]: Finished Loading all dynamic engine libs from /usr/pbi/snort-i386/lib/snort_dynamicengine
Nov 16 02:42:34	snort[29937]: done
Nov 16 02:42:34	snort[29937]: Loading dynamic engine /usr/pbi/snort-i386/lib/snort_dynamicengine/libsf_engine.so...
Nov 16 02:42:34	snort[29937]: Loading all dynamic engine libs from /usr/pbi/snort-i386/lib/snort_dynamicengine...
Nov 16 02:42:34	snort[29937]: Tagged Packet Limit: 256
Nov 16 02:42:34	snort[29937]: Found pid path directive (/var/run)
Nov 16 02:42:34	snort[29937]: Search-Method-Optimizations = enabled
Nov 16 02:42:34	snort[29937]: Maximum pattern length = 20
Nov 16 02:42:34	snort[29937]: Search-Method = AC-BNFA-Q
Nov 16 02:42:34	snort[29937]: Detection:
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 2123 2152 3386 ]
Nov 16 02:42:34	snort[29937]: PortVar 'GTP_PORTS' defined :
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 502 ]
Nov 16 02:42:34	snort[29937]: PortVar 'MODBUS_PORTS' defined :
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 20000 ]
Nov 16 02:42:34	snort[29937]: PortVar 'DNP3_PORTS' defined :
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 6503:6504 ]
Nov 16 02:42:34	snort[29937]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 2103 2105 2107 ]
Nov 16 02:42:34	snort[29937]: PortVar 'DCERPC_NCACN_TCP' defined :
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 135 593 1024:65535 ]
Nov 16 02:42:34	snort[29937]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 135 1024:65535 ]
Nov 16 02:42:34	snort[29937]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 135 139 445 593 1024:65535 ]
Nov 16 02:42:34	snort[29937]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 138 1024:65535 ]
Nov 16 02:42:34	snort[29937]: PortVar 'DCERPC_NCADG_IP_UDP' defined :
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 139 445 ]
Nov 16 02:42:34	snort[29937]: PortVar 'DCERPC_NCACN_IP_TCP' defined :
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 111 32770:32779 ]
Nov 16 02:42:34	snort[29937]: PortVar 'SUN_RPC_PORTS' defined :
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 0:79 81:65535 ]
Nov 16 02:42:34	snort[29937]: PortVar 'SHELLCODE_PORTS' defined :
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 36 80:90 110 143 311 383 591 593 631 901 1220 1414 1533 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250 6080 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999:10000 11371 15489 29991 33300 34412 34443:34444 41080 44440 50000 50002 51423 55555 56712 ]
Nov 16 02:42:34	snort[29937]: PortVar 'FILE_DATA_PORTS' defined :
Nov 16 02:42:34	snort[29937]:
Nov 16 02:42:34	snort[29937]: [ 443 465 563 636 989 992:995 7801:7802 7900:7920 ]
Nov 16 02:42:34	snort[29937]: PortVar 'SSL_PORTS' defined :
Nov 16 02:42:34	snort[29937]:

bmeeks

You are painfully low on RAM if you are enabling very many rules.  Snort really wants 2GB or RAM and works even better with 4GB (this depends on the number of enabled rules and whether or not you follow the recommended Pattern Matcher setting of AC-BNFA-NQ).

Running Snort on a Nano-based system can be problematic, especially with only 1GB of RAM.  Your disk partitions are not going to be very large.  I would say you don't have enough RAM on the box to run everything you are trying to run.

Bill

Snailkhan

@bmeeks:

You are painfully low on RAM if you are enabling very many rules.  Snort really wants 2GB or RAM and works even better with 4GB (this depends on the number of enabled rules and whether or not you follow the recommended Pattern Matcher setting of AC-BNFA-NQ).

Running Snort on a Nano-based system can be problematic, especially with only 1GB of RAM.  Your disk partitions are not going to be very large.  I would say you don't have enough RAM on the box to run everything you are trying to run.

Bill

it was running smoothly in the past (at least for one week ) until i reset it to factory defaults.
this is home network (4mbps wan and hardly few active users… )..

now at idle cpu is 1-2 % and ram is 20 %

however for ram i will upgrade to 2gb as this system has one slot for ddr2 2gb.

bmeeks

One other question I forgot to ask – when you say you "reset my settings to default", how exactly did you do that for Snort?  Snort remembers physical interface names in its configuration, and will attempt to reuse the old configuration if detected during package re-installation.  Since you state you changed the physical network card, then the physical interface names have likely changed.  This can confuse Snort.

Try this (but you will lose all the old Snort settings):

1.  Go to the GLOBAL SETTINGS tab in Snort and uncheck the "save settings" box so the old configuration will be completely deleted when the package is removed.

2.  Go to System > Packages and click the INSTALLED PACKAGES tab.  Click the X icon to remove the Snort package.

Now reinstall Snort and configure it from scratch.

Bill

Snailkhan

@bmeeks:

One other question I forgot to ask – when you say you "reset my settings to default", how exactly did you do that for Snort?  Snort remembers physical interface names in its configuration, and will attempt to reuse the old configuration if detected during package re-installation.  Since you state you changed the physical network card, then the physical interface names have likely changed.  This can confuse Snort.

Try this (but you will lose all the old Snort settings):

1.  Go to the GLOBAL SETTINGS tab in Snort and uncheck the "save settings" box so the old configuration will be completely deleted when the package is removed.

2.  Go to System > Packages and click the INSTALLED PACKAGES tab.  Click the X icon to remove the Snort package.

Now reinstall Snort and configure it from scratch.

Bill

i see ..
i reset the whole pfsense from its menu … not just the snort.
i had checked the option to save configs even after removal .. and then reset pfsense from its menu shown at boot.
then swaped the wan/lan interfaces ... and configuring it wont start it on interface...

i did the same as you mentioned .. uncheck the option remove snort reboot and then install it .. and its working again and my cpu loads is

0.34, 0.26, 0.24

State table size	
0% (319/98000) 
Show states
MBUF Usage	
12% (2536/20608)
Temperature	
13.0°C
Load average	
0.23, 0.23, 0.23
CPU usage	
17%
Memory usage	
18% of 983 MB
Disk usage	
/ (ufs): 38% of 1.8G	
/cf (ufs): 4% of 49M	
/tmp (ufs in RAM): 5% of 38M	
/var (ufs in RAM): 46% of 58M	

now my question is will it survive reboot / halt as i am on nanobsd ?

will it also survive improper shutdown . which is rampant in this part of the world..

bmeeks

@Snailkhan:

now my question is will it survive reboot / halt as i am on nanobsd ?

will it also survive improper shutdown . which is rampant in this part of the world..

It should (at least the Snort configuration should).  Snort stores all of its settings in the config.xml file where all other pfSense settings are stored.  It only writes to that file when you make and save a Snort change.

When the "save settings" checkbox is checked, then Snort will not remove its configuration entries from the config.xml file when the package is removed.  So when it is installed again, it checks for any existing config.xml settings and uses them if found.  In your case, those existing settings had your old NIC physical interface names in them.  Since that NIC no longer existed, Snort would not start.  In the future I plan to try and make the Snort config.xml settings somewhat independent of the physical NIC names to try and avoid problems like you had.

Bill

Snailkhan

@bmeeks:

@Snailkhan:

now my question is will it survive reboot / halt as i am on nanobsd ?

will it also survive improper shutdown . which is rampant in this part of the world..

It should (at least the Snort configuration should).  Snort stores all of its settings in the config.xml file where all other pfSense settings are stored.  It only writes to that file when you make and save a Snort change.

When the "save settings" checkbox is checked, then Snort will not remove its configuration entries from the config.xml file when the package is removed.  So when it is installed again, it checks for any existing config.xml settings and uses them if found.  In your case, those existing settings had your old NIC physical interface names in them.  Since that NIC no longer existed, Snort would not start.  In the future I plan to try and make the Snort config.xml settings somewhat independent of the physical NIC names to try and avoid problems like you had.

Bill

well seems like there is another jinn at play as well besides that interfaces issue..

snort was working fine for 3 days .. with appid an open virt (almost all except those for servers ) were selected..

then i wanted to enable emerging threats .. and now  whne i updated the rules … and went back to interface to check snort status it was shown as red.. looked after 20 minutes still red.. tried to turn it on and after 20-30 minutes it was still red and the progress bar in chrome for a tab was circling around like loading page but nothing would happen.

then i disabled emerging threats and tried to start it on interface and did update definitions.. same result as above..

restarted snort service from services same as above ....

i selected reboot from gui nothing happens no reboot confirmation dialog..

tried to open new tab to pfsense gui it wont open .. ( max sessions are at default of 2 )

then i ssh and rebooted it and after 10 minute still snort not started on interface ..

then i removed wan interface .. readded to snort configured only open virt and app id and tried to start no luck ..

then i removed teh wan interface rebooted added again configured again with settings that worked for me still no luck ..

doktornotor

@Snailkhan:

snort was working fine for 3 days .. with appid an open virt (almost all except those for servers ) were selected..
then i wanted to enable emerging threats ..

Dunno which part of "you do NOT have enough RAM to run insanely huge rulesets" (let alone on multiple interfaces) is exactly unclear here.

Snailkhan

@doktornotor:

@Snailkhan:

snort was working fine for 3 days .. with appid an open virt (almost all except those for servers ) were selected..
then i wanted to enable emerging threats ..

Dunno which part of "you do NOT have enough RAM to run insanely huge rulesets" (let alone on multiple interfaces) is exactly unclear here.

hmm if i admit that its insufficient ram that made snort stop working after enabling emerging threats threats. after it was running fine for 3 days .. but what i fail to comprehend is why i am unable to start it again when i go to former working settings ?

if it was working and a chnage stoped it from working shouldnt undoing that change as done above revert its consequences ?

i have uninstalled snort and have selected the option to remove settings after uninstall ..

its being installed .. i will again configure with same settings that working fine for past three days.

edit:
its now installed and running in its former settings..
so it seems that its a sort of bug  :-[ ..

bmeeks

You really do not have enough RAM in that firewall to reliably run Snort.  You are getting this random behavior most likely because you are running out of memory and RAM Drive disk space.  On a Nano-based system, some of your 1 GB of RAM is used to provide the /tmp and /var disk partitions.  That further limits the free RAM available to Snort.  Also, with only 1 GB of RAM to start with, those two RAM Disk partitions are going to be a bit tight when it comes to holding the rules tarball files during updates and even when downloading and extracting the PBI package files on installs.  When you exhaust the /tmp or /var partitions during package installation, weird and random stuff can happen.  I suspect its working when you wipe the settings out because then it is not exhausting RAM during reinstallation when trying to restore the saved settings and download all the previously selected rules at once.

The same Snort package has run uninterrupted for months on my firewall with three active interfaces and quite a few rules.  I have never had an issue with a Snort upgrade.  My firewall has a 40 GB conventional hard disk and 16 GB of RAM.  Prior to this one, I had a box with 4 GB of RAM and never had any issues there either.  You need lots of RAM and plenty of disk space for logging to reliably run Snort and Suricata.  NanoBSD is just not a good platform for running these two packages.  I'm not saying it can't work if you throw enough RAM at it, but most NanoBSD installs don't have a lot of RAM.

Bill

Snailkhan

@bmeeks:

You really do not have enough RAM in that firewall to reliably run Snort.  You are getting this random behavior most likely because you are running out of memory and RAM Drive disk space.  On a Nano-based system, some of your 1 GB of RAM is used to provide the /tmp and /var disk partitions.  That further limits the free RAM available to Snort.  Also, with only 1 GB of RAM to start with, those two RAM Disk partitions are going to be a bit tight when it comes to holding the rules tarball files during updates and even when downloading and extracting the PBI package files on installs.  When you exhaust the /tmp or /var partitions during package installation, weird and random stuff can happen.  I suspect its working when you wipe the settings out because then it is not exhausting RAM during reinstallation when trying to restore the saved settings and download all the previously selected rules at once.

The same Snort package has run uninterrupted for months on my firewall with three active interfaces and quite a few rules.  I have never had an issue with a Snort upgrade.  My firewall has a 40 GB conventional hard disk and 16 GB of RAM.  Prior to this one, I had a box with 4 GB of RAM and never had any issues there either.  You need lots of RAM and plenty of disk space for logging to reliably run Snort and Suricata.  NanoBSD is just not a good platform for running these two packages.  I'm not saying it can't work if you through enough RAM at it, but most NanoBSD installs don't have a lot of RAM.

Bill

snort was running fine for another 35+ hours .. besides i also added freeradius (it would hardly authenticate 3-5  users in the entire day ). and was working fine..

however i got 2gb ddr2 ram for my box (thats its max support. as its single port) and still all is ok .. though i havent enabled the emerging threats .. though i increased space of /var /tmp to 150 MB ..

as i fear it will again break things and i would have to remove snort redo all configs.

32gb ssd is being shipped from china via slow boat. waiting for it to do a full blown installation