Netgate SG-1000 microFirewall

Author Topic: Snort process runs crazy when WAN IP (PPPoE) reconnects  (Read 523 times)

0 Members and 1 Guest are viewing this topic.

Offline epionier

  • Jr. Member
  • **
  • Posts: 68
  • Karma: +1/-0
    • View Profile
Snort process runs crazy when WAN IP (PPPoE) reconnects
« on: June 06, 2016, 06:21:46 pm »

unfortunately I am having a problem with SNORT and I cannot find a solution.

I posted my problem in "General Questions" first but I can nail it down to misbehavior of the snort process that is why I am asking in this section again if anyone has the same problem - or better the solution - because it drives me crazy. Here is more information of my problem:

I am running pfSense 2.3.1_1 on ESXI 6.0 as a VM (v11). 1 vCPU (Xeon L5640) and 2 NICs (VMXNET3).

The vSwitch of ESXI is for WAN port set to allow promiscuous mode.

SNORT is activated for WAN port.

Every night when PPPoE reconnects on 0:10 my snort process runs crazy so that CPU usage is 100%. pfSense is still working (like IPSec and Squid) but I am unable to log in via Web Interface or Console/SSH and the CPU remains on 100% for hours. On the console I only see the line:
"*** Welcome to pfSense 2.3.1-RELEASE-p1 (amd64 full-install) on firewall ***" and nothing more (like the selection) so mostly I am unable to access the Shell to kill the snort process.

I tried to enable/disable TSO+LRO+device polling under "Advanced Networking" in all kind of combinations (with reboot) but the problem remains.

I also changed the NIC for WAN to an Intel i350 NIC but the problem remains.

I have to reboot pfSense to get it working properly again until the next WAN reconnect or - when I was already in the SHELL via Console - I can solve the problem temporarely by killing the snort process (kill -9 Snort_PID) and CPU is immediately going down to 0% again.

Pattern match is AC-BNFA and Barnyard2 is disabled. RAM is more than sufficient.
I can post more information about configuration/etc. when needed.

I also tried to uninstall SNORT (including configuration) and reinstalled it freshly but the problem remains.
(Also not all configuration is deleted this way, e.g. the Oinkmaster code for Snort VRT rules is still listed in the text field after the fresh reinstall.)

Does anyone has a clue how to fix this?