After 2.3 Upgrade, Snort Auto Stops after an hour or so [SOLVED]



  • I have been experiencing an issue with Snort on pfsense 2.3 where the package Stops after an hour and won't restart. I using the exact same setup of options used in pfsense 2.2.6 with the most current version of snort and it all worked fine. With 2.3, it is not working for me. Plus, saving and changing menus is painfully slow. I have even wiped the discs and did a fresh install and setup up pfsense manually followed by setting up snort and I achieve the same result.



  • Do you have a standard hard disk install, or is this a NanoBSD install on a CF card of some type?  Nano installs of Snort and Suricata can be very problematic due to the limited memory and RAM disk space.  Same thing can happen on other systems if you enable the RAM disks option and do not make the /tmp and /var partitions large enough.

    Bill



  • Sir, I should probably update you since this I have been working within my skill set to resolve this issue. I am still getting the auto stops but I can restart them. originally, when I wrote the post, I had done the upgrade and let everything run as it the setup was before it upgraded and I had stops that were not restartable. So I did a fresh install and used a baseline backup to restore which included only basic settings and an installation of snort. Doing this, I still experienced the same stops after an hour that I could not restart. So, the third thing I did was do another fresh install and manually set things as I did in my baseline backup and a lot of things are far smoother with 2.3; with the exception of snort which seems to still stop about every hour or so but I can restart it now. It's a real head scratcher.

    I am using the standard install on an mSATA. I was using the same hardware on pfsense 2.2.6 with issue. Is there some diagnostic I can run to help you troubleshoot the issue?



  • @jbhowlesr:

    Sir, I should probably update you since this I have been working within my skill set to resolve this issue. I am still getting the auto stops but I can restart them. originally, when I wrote the post, I had done the upgrade and let everything run as it the setup was before it upgraded and I had stops that were not restartable. So I did a fresh install and used a baseline backup to restore which included only basic settings and an installation of snort. Doing this, I still experienced the same stops after an hour that I could not restart. So, the third thing I did was do another fresh install and manually set things as I did in my baseline backup and a lot of things are far smoother with 2.3; with the exception of snort which seems to still stop about every hour or so but I can restart it now. It's a real head scratcher.

    I am using the standard install on an mSATA. I was using the same hardware on pfsense 2.2.3 with issue. Is there some diagnostic I can run to help you troubleshoot the issue?

    Perhaps you have traffic triggering a particular rule that is causing a problem.  Take a look in at the ALERTS tab and see if any alert series seems to repeat about the same time as the stops (assuming you can determine the time Snort stopped).  I have Snort running on a 2.3 pfSense virtual machine and it has been running for 36 hours or so non-stop as of now.  Granted the VM does not see a ton of traffic, though.

    Bill



  • Seems this issue resolved itself when I updated to the 3.2.9.1_11 package so I'm marking it at solved.


Log in to reply