Netgate Store

Author Topic: Snort 3.2.9 and pfSense 2.4.x routing/slowdown issues  (Read 300 times)

0 Members and 1 Guest are viewing this topic.

Offline RichH

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Snort 3.2.9 and pfSense 2.4.x routing/slowdown issues
« on: February 08, 2018, 03:06:42 pm »
Anyone else having trouble with Snort 3.2.9.x and pfSense 2.4.x?

I have been testing pfSense 2.4.2p1 using packages pfBlockerNG 2.1.2_2 and mailreport 3.1.  It seemed to work great so I added Snort 3.2.9.6_1 and configured it.  It looked good and was working o.k. for a while.  Then some traffic like google docs, gmail, etc started to quit working, and continued to get worse until almost no web traffic would work after a day or so.  Restarting every service available in the GUI did not help.  Only a server restart fixed the problem once it occurred.  So I started playing with it and found I could simulate the problem by going to dslreports.com speedtest and after running the test repeatedly.  After numerous tries, the problem would reoccur.  I also found the upload speeds to be absolutely dismal with Snort turned on -- without Snort I get upload/download speeds more than 500 Mbps.  With Snort on the upload speeds vary but are usually much less than 20 Mbps.  I would start to notice problems at dslreports speedtest when only a few of the green slices of the circle of available servers would show up.  Once it got bad only a reboot would fix it.  The logs do not show any problems.  Shutting off Snort w/o a reboot once it is bad does not help.  I did not see any blocked traffic in Snort to indicate a problem (like blocking the sites I was trying to visit).  Waiting for hours did not fix it.

My hardware and what I have tried:

HP G6 server with dual Xeon(R) CPU X5650
Broadcom 1 Gig ethernet x 4
40 Gig Memory
160 Gig HDD
Dual WAN gateway with failover, fast speeds over 500 Mbps on the primary and 100 Mbps on the secondary.

Tried:
1.  Turning off all but a few rules in Snort.  Made the speeds go up slightly, but after a while the main problem of non-functional Internet routing would return.
2.  Tried setting kern.ipc.nmbclusters  to 131072 (some sites I read suggested that might help).  No difference, even after a restart.
3.  Tried turning off/restarting services.  Didn't help.
4.  Turning Snort off but leaving it installed works after a restart but not if the problem has already occurred without a reboot.
5.  Reboot fixes the problem until it occurs again.

Offline bartkowski

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +6/-0
    • View Profile
Re: Snort 3.2.9 and pfSense 2.4.x routing/slowdown issues
« Reply #1 on: February 09, 2018, 08:55:40 am »
I can say that while doing a speedtest via beta.speedtest.net yesterday, I noticed my speeds were about 35/8. I disabled Snort, and tests showed 80/10. Since Snort is inspecting packets, I guess I see why this would happen, but I wonder if my settings could be changed to improve performance a bit. Also, I think Snort, maybe in combination with other packages (pfBlockerNG, ntopng, et.al.), causes my webConfigurator to not be available (this happens every few days). Only solution seems to be a console restart of webConfigurator and PHP-FPM, or a system reboot.
« Last Edit: February 09, 2018, 08:59:51 am by bartkowski »

Offline dales

  • Newbie
  • *
  • Posts: 12
  • Karma: +4/-0
    • View Profile
Re: Snort 3.2.9 and pfSense 2.4.x routing/slowdown issues
« Reply #2 on: February 10, 2018, 07:12:53 pm »
Quote
4.  Turning Snort off but leaving it installed works after a restart but not if the problem has already occurred without a reboot.
5.  Reboot fixes the problem until it occurs again.

If the problem is persisting after snort exits that suggests there could be a lower level bug getting tickled.  Snort doesn't do anything too funky with the NIC other than putting it into promiscuous mode.

As an experiment, you might try using ifconfig to put the interface into promiscuous mode without snort running, then do your speedtest runs and see if the problem occurs.

--
Dale

Offline RichH

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Snort 3.2.9 and pfSense 2.4.x routing/slowdown issues
« Reply #3 on: February 21, 2018, 01:23:39 pm »
Dale thanks for the suggestions.  After some time of testing I found:

1.  The primary problem was Snort's Preproc http was blocking most of the IP's for the speedtest, even after turning virtually all rules off.  If I would clear the blocks it would start to work again (instead of rebooting which also clears the blocks) before blocking all the IP's again.  I could not find a way to fix this except to turn off the Preproc http (which numerous posts claim will break much of Snort), or to install suppress rules to suppress the rules that were too aggressive (I didn't test the suppress method, find that too be a little cumbersome for basic functionality).

2.  The secondary problem with the upload speed being low was using the bce network driver (built in Broadcom NICs).  Apparently this driver or hardware has issues with BSD.  I switched to another NIC that used the bxe driver and the upload speed problem went away.  I'm going to try some better Intel NICs later to try and take advantage of the "Netmap" functionality.

I'm testing Suricata now, finding it less cumbersome so far.