Cannot enable snort on interface (it shows red cross)
-
You are painfully low on RAM if you are enabling very many rules. Snort really wants 2GB or RAM and works even better with 4GB (this depends on the number of enabled rules and whether or not you follow the recommended Pattern Matcher setting of AC-BNFA-NQ).
Running Snort on a Nano-based system can be problematic, especially with only 1GB of RAM. Your disk partitions are not going to be very large. I would say you don't have enough RAM on the box to run everything you are trying to run.
Bill
-
You are painfully low on RAM if you are enabling very many rules. Snort really wants 2GB or RAM and works even better with 4GB (this depends on the number of enabled rules and whether or not you follow the recommended Pattern Matcher setting of AC-BNFA-NQ).
Running Snort on a Nano-based system can be problematic, especially with only 1GB of RAM. Your disk partitions are not going to be very large. I would say you don't have enough RAM on the box to run everything you are trying to run.
Bill
it was running smoothly in the past (at least for one week ) until i reset it to factory defaults.
this is home network (4mbps wan and hardly few active users… )..now at idle cpu is 1-2 % and ram is 20 %
however for ram i will upgrade to 2gb as this system has one slot for ddr2 2gb.
-
One other question I forgot to ask – when you say you "reset my settings to default", how exactly did you do that for Snort? Snort remembers physical interface names in its configuration, and will attempt to reuse the old configuration if detected during package re-installation. Since you state you changed the physical network card, then the physical interface names have likely changed. This can confuse Snort.
Try this (but you will lose all the old Snort settings):
1. Go to the GLOBAL SETTINGS tab in Snort and uncheck the "save settings" box so the old configuration will be completely deleted when the package is removed.
2. Go to System > Packages and click the INSTALLED PACKAGES tab. Click the X icon to remove the Snort package.
Now reinstall Snort and configure it from scratch.
Bill
-
One other question I forgot to ask – when you say you "reset my settings to default", how exactly did you do that for Snort? Snort remembers physical interface names in its configuration, and will attempt to reuse the old configuration if detected during package re-installation. Since you state you changed the physical network card, then the physical interface names have likely changed. This can confuse Snort.
Try this (but you will lose all the old Snort settings):
1. Go to the GLOBAL SETTINGS tab in Snort and uncheck the "save settings" box so the old configuration will be completely deleted when the package is removed.
2. Go to System > Packages and click the INSTALLED PACKAGES tab. Click the X icon to remove the Snort package.
Now reinstall Snort and configure it from scratch.
Bill
i see ..
i reset the whole pfsense from its menu … not just the snort.
i had checked the option to save configs even after removal .. and then reset pfsense from its menu shown at boot.
then swaped the wan/lan interfaces ... and configuring it wont start it on interface...i did the same as you mentioned .. uncheck the option remove snort reboot and then install it .. and its working again and my cpu loads is
0.34, 0.26, 0.24
State table size 0% (319/98000) Show states MBUF Usage 12% (2536/20608) Temperature 13.0°C Load average 0.23, 0.23, 0.23 CPU usage 17% Memory usage 18% of 983 MB Disk usage / (ufs): 38% of 1.8G /cf (ufs): 4% of 49M /tmp (ufs in RAM): 5% of 38M /var (ufs in RAM): 46% of 58Mnow my question is will it survive reboot / halt as i am on nanobsd ?
will it also survive improper shutdown . which is rampant in this part of the world..
-
now my question is will it survive reboot / halt as i am on nanobsd ?
will it also survive improper shutdown . which is rampant in this part of the world..
It should (at least the Snort configuration should). Snort stores all of its settings in the config.xml file where all other pfSense settings are stored. It only writes to that file when you make and save a Snort change.
When the "save settings" checkbox is checked, then Snort will not remove its configuration entries from the config.xml file when the package is removed. So when it is installed again, it checks for any existing config.xml settings and uses them if found. In your case, those existing settings had your old NIC physical interface names in them. Since that NIC no longer existed, Snort would not start. In the future I plan to try and make the Snort config.xml settings somewhat independent of the physical NIC names to try and avoid problems like you had.
Bill
-
now my question is will it survive reboot / halt as i am on nanobsd ?
will it also survive improper shutdown . which is rampant in this part of the world..
It should (at least the Snort configuration should). Snort stores all of its settings in the config.xml file where all other pfSense settings are stored. It only writes to that file when you make and save a Snort change.
When the "save settings" checkbox is checked, then Snort will not remove its configuration entries from the config.xml file when the package is removed. So when it is installed again, it checks for any existing config.xml settings and uses them if found. In your case, those existing settings had your old NIC physical interface names in them. Since that NIC no longer existed, Snort would not start. In the future I plan to try and make the Snort config.xml settings somewhat independent of the physical NIC names to try and avoid problems like you had.
Bill
well seems like there is another jinn at play as well besides that interfaces issue..
snort was working fine for 3 days .. with appid an open virt (almost all except those for servers ) were selected..
then i wanted to enable emerging threats .. and now whne i updated the rules … and went back to interface to check snort status it was shown as red.. looked after 20 minutes still red.. tried to turn it on and after 20-30 minutes it was still red and the progress bar in chrome for a tab was circling around like loading page but nothing would happen.
then i disabled emerging threats and tried to start it on interface and did update definitions.. same result as above..
restarted snort service from services same as above ....
i selected reboot from gui nothing happens no reboot confirmation dialog..
tried to open new tab to pfsense gui it wont open .. ( max sessions are at default of 2 )
then i ssh and rebooted it and after 10 minute still snort not started on interface ..
then i removed wan interface .. readded to snort configured only open virt and app id and tried to start no luck ..
then i removed teh wan interface rebooted added again configured again with settings that worked for me still no luck ..
-
snort was working fine for 3 days .. with appid an open virt (almost all except those for servers ) were selected..
then i wanted to enable emerging threats ..Dunno which part of "you do NOT have enough RAM to run insanely huge rulesets" (let alone on multiple interfaces) is exactly unclear here.
-
snort was working fine for 3 days .. with appid an open virt (almost all except those for servers ) were selected..
then i wanted to enable emerging threats ..Dunno which part of "you do NOT have enough RAM to run insanely huge rulesets" (let alone on multiple interfaces) is exactly unclear here.
hmm if i admit that its insufficient ram that made snort stop working after enabling emerging threats threats. after it was running fine for 3 days .. but what i fail to comprehend is why i am unable to start it again when i go to former working settings ?
if it was working and a chnage stoped it from working shouldnt undoing that change as done above revert its consequences ?
i have uninstalled snort and have selected the option to remove settings after uninstall ..
its being installed .. i will again configure with same settings that working fine for past three days.
edit:
its now installed and running in its former settings..
so it seems that its a sort of bug :-[ .. -
You really do not have enough RAM in that firewall to reliably run Snort. You are getting this random behavior most likely because you are running out of memory and RAM Drive disk space. On a Nano-based system, some of your 1 GB of RAM is used to provide the /tmp and /var disk partitions. That further limits the free RAM available to Snort. Also, with only 1 GB of RAM to start with, those two RAM Disk partitions are going to be a bit tight when it comes to holding the rules tarball files during updates and even when downloading and extracting the PBI package files on installs. When you exhaust the /tmp or /var partitions during package installation, weird and random stuff can happen. I suspect its working when you wipe the settings out because then it is not exhausting RAM during reinstallation when trying to restore the saved settings and download all the previously selected rules at once.
The same Snort package has run uninterrupted for months on my firewall with three active interfaces and quite a few rules. I have never had an issue with a Snort upgrade. My firewall has a 40 GB conventional hard disk and 16 GB of RAM. Prior to this one, I had a box with 4 GB of RAM and never had any issues there either. You need lots of RAM and plenty of disk space for logging to reliably run Snort and Suricata. NanoBSD is just not a good platform for running these two packages. I'm not saying it can't work if you throw enough RAM at it, but most NanoBSD installs don't have a lot of RAM.
Bill
-
You really do not have enough RAM in that firewall to reliably run Snort. You are getting this random behavior most likely because you are running out of memory and RAM Drive disk space. On a Nano-based system, some of your 1 GB of RAM is used to provide the /tmp and /var disk partitions. That further limits the free RAM available to Snort. Also, with only 1 GB of RAM to start with, those two RAM Disk partitions are going to be a bit tight when it comes to holding the rules tarball files during updates and even when downloading and extracting the PBI package files on installs. When you exhaust the /tmp or /var partitions during package installation, weird and random stuff can happen. I suspect its working when you wipe the settings out because then it is not exhausting RAM during reinstallation when trying to restore the saved settings and download all the previously selected rules at once.
The same Snort package has run uninterrupted for months on my firewall with three active interfaces and quite a few rules. I have never had an issue with a Snort upgrade. My firewall has a 40 GB conventional hard disk and 16 GB of RAM. Prior to this one, I had a box with 4 GB of RAM and never had any issues there either. You need lots of RAM and plenty of disk space for logging to reliably run Snort and Suricata. NanoBSD is just not a good platform for running these two packages. I'm not saying it can't work if you through enough RAM at it, but most NanoBSD installs don't have a lot of RAM.
Bill
snort was running fine for another 35+ hours .. besides i also added freeradius (it would hardly authenticate 3-5 users in the entire day ). and was working fine..
however i got 2gb ddr2 ram for my box (thats its max support. as its single port) and still all is ok .. though i havent enabled the emerging threats .. though i increased space of /var /tmp to 150 MB ..
as i fear it will again break things and i would have to remove snort redo all configs.
32gb ssd is being shipped from china via slow boat. waiting for it to do a full blown installation
