I am having issues with running a stable SNORT in NST 34. I don't wish to revert back to NST32, so hoping someone else is encountering this.
I got SNORT running but when I run the dump stats button it doesn't provide the stats and the instance starts reloading and gets stuck at reloading.
I am not finding any errors in the logs so not sure if it is a settings change or if I should just revert back as I am running out of time to fix this.
I also can not get it to trigger alerts when testing. I was only able to trigger a custom rule to get it to display in squil. I ran some outside the network scans which normally trigger alerts and nothing triggered.
Any second eyes appreciated before I revert back to NST32
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Excellent Ron! Thanks for looking into that.
It is possible the light external scan I did wasn't enough to trigger something and my network is clean. The Qualys scans normally trigger alerts but I lost my subscription recently so I used another tool.
It is nice to I didn't cause the stats dump issue.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you!
SNORT is sending alerts now in my NST34 box after running the commands.
Still not sure what the Stats button is doing as when I go to view the messages log I don't see the typical dump or any dump. However, that isn't important for what I need SNORT for.
Thanks for taking the time to look at this issue.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am having issues with running a stable SNORT in NST 34. I don't wish to revert back to NST32, so hoping someone else is encountering this.
I got SNORT running but when I run the dump stats button it doesn't provide the stats and the instance starts reloading and gets stuck at reloading.
I am not finding any errors in the logs so not sure if it is a settings change or if I should just revert back as I am running out of time to fix this.
I also can not get it to trigger alerts when testing. I was only able to trigger a custom rule to get it to display in squil. I ran some outside the network scans which normally trigger alerts and nothing triggered.
Any second eyes appreciated before I revert back to NST32
You have identified a bug when dumping snort stats. Currently you can manually send a SIGUSR1 signal to the running snort instance at a bash shell.
Example for snort process: 213972
kill -9 SIGUSR1 213972;
We will be working on a fix for this issue.
We have had no know issues triggering snort alerts. Please recheck your snort rules and "Home Net" and "External Net" settings.
Excellent Ron! Thanks for looking into that.
It is possible the light external scan I did wasn't enough to trigger something and my network is clean. The Qualys scans normally trigger alerts but I lost my subscription recently so I used another tool.
It is nice to I didn't cause the stats dump issue.
Ok here is the solution for the snort stats action. We have published a public repository for NST 34.
For non-NST Pro users: On the command line type the following.
dnf clean all;
dnf upgrade nstwui nstwui-filesystem snort;
Thank you!
SNORT is sending alerts now in my NST34 box after running the commands.
Still not sure what the Stats button is doing as when I go to view the messages log I don't see the typical dump or any dump. However, that isn't important for what I need SNORT for.
Thanks for taking the time to look at this issue.