NTOP and Snort seem to be broken

eyepodder

Hello all,

I upgraded to 1.2 everything was fine but then I added snapshot pfSense-Full-And-Embedded-Update-1.2-BETA-1-TESTING-SNAPSHOT-06-04-2007.tgz and I no longer had snort but I noticed it wasn't on the package list which is fine. But I tried to install ntop, it installed ok and said it started but when you check STATUS > SERVICES it's stopped. When you go and start it up it says it has started but it's still not started. So I uninstalled it.

Today I noticed that snort was available I tried installing it, same thing it installs fine,but under STATUS > SERVICES it's not running but when you try and start it up it says it started fine but it still has the red X stopped. I also tried installing ntop again same thing. When you go to ntop under Diagnostics it times out so it's ntop is not started.

I tried uninstalling-reinstalling reapply the snapshot. It didn't help.

Any ideas.

Should I go back to 1.2

alonelion

I have running ntop and i installed snort but i have the same problem, snort not running. Is there any incompatibility between ntop and snort?

Slam

I havent upgraded in weeks but I just installed SNAPSHOT-06-06-2007

Both NTOP and Snort are working fine for me.  Give that above version a try.

Regards

Slam

caseystone

I'm new to pfSense, but I like it so far.

I installed on my machine from the LiveCD 1.2-Beta-1 from 4/30/07, and then grabbed the 6-6-07 snapshot. I added the package SNORT, got my Oinkmaster code, updated definitions and such, but I don't think it's working. When I go to Services->Snort in the webgui and check for blocked IPs or alerts, there are none.

From a shell, Top:

last pid: 19201;  load averages:  0.07,  0.29,  0.20                                                          up 0+02:58:29  18:26:02
31 processes:  1 running, 30 sleeping
CPU states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
Mem: 43M Active, 46M Inact, 66M Wired, 111M Buf, 841M Free
Swap: 

  PID USERNAME  THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
  482 root        1   4    0 23060K 21208K accept   0:03  0.00% php
 1575 root        1   8   20  1752K  1256K wait     0:01  0.00% sh
  472 root        1   4    0  3736K  3240K kqread   0:01  0.00% lighttpd
  481 root        1   4    0 22608K 20644K accept   0:01  0.00% php
 1397 root        1   8   20  1272K   720K nanslp   0:00  0.00% check_reload_status
18550 root        1  96    0  2424K  1652K RUN      0:00  0.00% top
  232 root        1  96    0  1180K   796K select   0:00  0.00% mpd
  303 root        1 -58    0  3552K  1752K bpf      0:00  0.00% tcpdump
  852 _ntp        1  96    0  1340K  1052K select   0:00  0.00% ntpd
  190 root        1  96    0  1440K  1040K select   0:00  0.00% syslogd
18448 root        1  96    0  5744K  2788K select   0:00  0.00% sshd
  441 proxy       1   4    0   656K   416K kqread   0:00  0.00% pftpx
  816 dhcpd       1  96    0  2264K  1896K select   0:00  0.00% dhcpd
  857 root        1   8    0  1384K  1016K nanslp   0:00  0.00% cron
  589 root        1 102    0  1336K  1096K select   0:00  0.00% mpd
  546 nobody      1  96    0  1460K  1088K select   0:00  0.00% dnsmasq
  477 root        1   8    0 14200K  4708K wait     0:00  0.00% php
  478 root        1   8    0 14200K  4708K wait     0:00  0.00% php
  855 root        1  96    0  1376K  1048K select   0:00  0.00% ntpd
 1411 root        1   8    0  1712K  1360K wait     0:00  0.00% login
  304 root        1  -8    0  1276K   724K piperd   0:00  0.00% logger
18539 root        1  20    0  3772K  2776K pause    0:00  0.00% tcsh
 1399 root        1   8    0  1268K   732K nanslp   0:00  0.00% minicron
  114 root        1  96    0   504K   360K select   0:00  0.00% devd
  238 root        1  -8    0  1268K   628K piperd   0:00  0.00% sshlockout_pf
18451 root        1   8    0  1728K  1212K wait     0:00  0.00% sh
 1484 root        1   5    0  1724K  1208K ttyin    0:00  0.00% sh
 1483 root        1   8    0  1720K  1204K wait     0:00  0.00% sh
  237 root        1  96    0  3060K  2404K select   0:00  0.00% sshd
18428 root        1   4    0  1292K   908K kqread   0:00  0.00% snort2c
19186 root        1   8   20  1256K   468K nanslp   0:00  0.00% sleep

For a while I briefly saw 'snort' (not snort2c) at around 96% cpu usage, but now it's gone.

messages:
(truncated)

Jun 27 18:18:49 	snort[18423]: | gen-id=1 sig-id=6487 type=Limit tracking=src count=1 seconds=300
Jun 27 18:18:49 	snort[18423]: | gen-id=1 sig-id=6487 type=Limit tracking=src count=1 seconds=300
Jun 27 18:18:49 	snort[18423]: +-----------------------[suppression]------------------------------------------
Jun 27 18:18:49 	snort[18423]: +-----------------------[suppression]------------------------------------------
Jun 27 18:18:49 	snort[18423]: | none
Jun 27 18:18:49 	snort[18423]: | none
Jun 27 18:18:49 	snort[18423]: -------------------------------------------------------------------------------
Jun 27 18:18:49 	snort[18423]: -------------------------------------------------------------------------------
Jun 27 18:18:49 	snort[18423]: Rule application order: ->activation->dynamic->pass->drop->alert->log
Jun 27 18:18:49 	snort[18423]: Rule application order: ->activation->dynamic->pass->drop->alert->log
Jun 27 18:18:49 	snort[18423]: Log directory = /var/log/snort
Jun 27 18:18:49 	snort[18423]: Log directory = /var/log/snort
Jun 27 18:18:49 	snort[18423]: Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Jun 27 18:18:49 	snort[18423]: Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Jun 27 18:18:49 	snort[18423]: Warning: flowbits key 'fkwp_conn_suc_cts' is set but not ever checked.
Jun 27 18:18:49 	snort[18423]: Warning: flowbits key 'fkwp_conn_suc_cts' is set but not ever checked.
Jun 27 18:18:49 	snort[18423]: Warning: flowbits key 'backdoor.charon.download.log.1' is checked but not ever set.
Jun 27 18:18:49 	snort[18423]: Warning: flowbits key 'backdoor.charon.download.log.1' is checked but not ever set.
Jun 27 18:18:49 	snort[18423]: Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Jun 27 18:18:49 	snort[18423]: Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Jun 27 18:18:49 	snort[18423]: Warning: flowbits key 'odf.file' is set but not ever checked.
Jun 27 18:18:49 	snort[18423]: Warning: flowbits key 'odf.file' is set but not ever checked.
Jun 27 18:18:49 	snort[18423]: Warning: flowbits key 'optixlite_fai_conn_cts' is set but not ever checked.
Jun 27 18:18:49 	snort[18423]: Warning: flowbits key 'optixlite_fai_conn_cts' is set but not ever checked.
Jun 27 18:18:49 	snort[18423]: 327 out of 512 flowbits in use.
Jun 27 18:18:49 	snort[18423]: 327 out of 512 flowbits in use.
Jun 27 18:18:49 	snort[18423]: Initializing daemon mode
Jun 27 18:18:49 	snort[18423]: Initializing daemon mode
Jun 27 18:18:49 	snort[18425]: PID path stat checked out ok, PID path set to /var/run/
Jun 27 18:18:49 	snort[18425]: PID path stat checked out ok, PID path set to /var/run/
Jun 27 18:18:49 	snort[18425]: Writing PID "18425" to file "/var/run//snort_ng0.pid"
Jun 27 18:18:49 	snort[18425]: Writing PID "18425" to file "/var/run//snort_ng0.pid"
Jun 27 18:18:49 	snort[18423]: Daemon parent exiting
Jun 27 18:18:49 	snort[18423]: Daemon parent exiting
Jun 27 18:18:49 	snort[18425]: Daemon initialized, signaled parent pid: 18423
Jun 27 18:18:49 	snort[18425]: Daemon initialized, signaled parent pid: 18423
Jun 27 18:18:49 	snort2c[18428]: snort2c running in daemon mode pid: 18428
Jun 27 18:18:49 	snort2c[18428]: snort2c running in daemon mode pid: 18428

Should it be working?

Thanks.

-Casey