Snort: Incorrect Initial Configuration Leading to Failure

antonin.chadima · November 2, 2025, 9:20pm

When IPS (Snort) is enabled for the first time in the Web UI, if the number of CPU cores (including Hyper-Threading/HT) exceeds 16 (a common occurrence on modern CPUs), the resulting configuration is incorrect, which prevents Snort from functioning.

The core problem is an incorrectly configured number of queues.

For example, a machine with 16 physical cores and HT enabled presents 32 logical processors (threads) to the operating system.

The generated configuration file (/etc/config/snort) contains the following error:

config nfq 'nfq'
        option queue_count '32'
...
        option thread_count '32'
...

This configuration triggers the following error upon manual startup service snort restart and check snort-mgr check:

ERROR: In option queue_count=‘32’, must be 1 <= x <= 16 Errors during generation of snort config

But the IPS/Snort is silently broken and the Web UI indicates, that everything is fine,

antonin.chadima · November 3, 2025, 5:33am

Solution: Manually edit the number of queues (e.g., set queue_count to 16) and restart the Snort service.

Tbaile · November 3, 2025, 8:49am

This is the first time we got this reported. The changes you’ve made are being overridden every time the snort config is being saved!

A bug report should be filled, to keep track of it, since you’ve got the gist of it would you kindly do it?

filippo_carletti · November 3, 2025, 11:45am

Maybe relevant: config: set queue count limit to 16 (#34) · NethServer/nethserver-suricata@afdb6e5 · GitHub

Tbaile · November 3, 2025, 1:05pm

Filed a bug report:

github.com/NethServer/nethsecurity

IPS: Configuration fails with CPUs with more than 16 logical cores

opened 01:05PM - 03 Nov 25 UTC

Tbaile

controller

**Steps to reproduce** - Enable IPS (Snort) for the first time using the Web UI…. - Use a machine with more than 16 logical CPU cores (e.g., 16 physical cores with Hyper-Threading shows 32 logical cores). - Observe the generated configuration file at /etc/config/snort: ``` config nfq 'nfq' option queue_count '32' ... option thread_count '32' ... ``` - Try to manually restart Snort (`service snort restart` or `snort-mgr check`). **Expected behavior** - Snort should be correctly configured and function with any modern CPU, including those that report more than 16 logical cores. **Actual behavior** - Configuration generation sets `queue_count` and `thread_count` to values exceeding the maximum allowed (16), causing configuration errors: ``` ERROR: In option queue_count=‘32’, must be 1 <= x <= 16 Errors during generation of snort config ``` - The IPS/Snort service silently fails while the Web UI incorrectly indicates a healthy status. **Components** - ns-api 3.4.0-r1 **Proposed solution** - Apply a `min()` function to `queue_count` and `thread_count` values so that they do not exceed 16, regardless of logical core count. **See also** - https://community.nethserver.org/t/snort-incorrect-initial-configuration-leading-to-failure/26547