Snort 2.9.4.6 Pkg v 2.5.9
-
Thanks Bill. There is certainly something wonky going on, on the latest 2.1 snapshots. I have reconfigured snort for just the WAN interface IPv4 (no IPv6). Further, I only have IPS Policy ( i.e. Snort GPLv2 Community Rules + Emerging Threats rule set) enabled on the WAN. I see four (4) snort processes consuming up to 90% of the 6GB RAM and over 60% of the 16GB swap space.
Anything I can do (provide logs, traces, additional information) to debug and resolve this issue?
-
Anything I can do (provide logs, traces, additional information) to debug and resolve this issue?
You could read through this thread. I already made a note about this a few pages back ;)
-
Thank you for the workaround. I was offering up any help I can provide (since I have a 100% & consistent repro) to debug this issue and solve it rather than just working around it.
-
Thank you for the workaround. I was offering up any help I can provide (since I have a 100% & consistent repro) to debug this issue and solve it rather than just working around it.
I have some VMs I can test in. I have a July 4th 2.1 Snapshot that does not exhibit this behavior. I will "snapshot" that VM and then let it upgrade to the latest 2.1 RC snapshot and see what I can determine about the multiple Snort process starts.
I've been letting Snort cook for a while with no package updates for two reasons. First to see how things were performing for users, and to see if the FreeBSD port got updated to the 2.5.x Snort binary. I have a new version of the Snort package ready that implements multiple engine/server configurations for the FRAG3, STREAM5 and HTTP_INSPECT preprocessors.
Bill
-
Thank you for the workaround. I was offering up any help I can provide (since I have a 100% & consistent repro) to debug this issue and solve it rather than just working around it.
pfSenseRocks:
I upgraded a test VM to the latest 2.1RC snapshot. I could not reproduce the multiple processes problem. I have Snort configured on two interfaces for the VM, and I only get two Snort processes. Now I am using my new 2.6.0 package code in the VM. I can try reverting a VM back to the current 2.5.9 package and try again.
Bill
-
That is great news, Bill. Thanks for the update. Let me update to the latest snapshot as well and see if I can reproduce your success.
-
Unfortunately, I still reproduce the problem. Usually occurs after snort restarts after downloading new rules.
[2.1-RC1][admin@sense.home]/root(1): ps -ax | grep snort
23405 ?? Ss 8:25.86 /usr/pbi/snort-amd64/bin/snort -R 56048 -E -q -l /var/log/snort/snort_em0_vlan1056048 –pid-path /var/run
24490 ?? SNLs 0:28.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
45765 ?? SNs 0:29.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
46524 ?? Ss 0:03.79 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47171 ?? SNs 0:03.70 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47645 ?? SNs 0:03.76 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
52671 0 S+ 0:00.00 grep snortVersion 2.1-RC1 (amd64)
built on Mon Aug 19 16:16:39 EDT 2013
FreeBSD 8.3-RELEASE-p9 -
Unfortunately, I still reproduce the problem. Usually occurs after snort restarts after downloading new rules.
[2.1-RC1][admin@sense.home]/root(1): ps -ax | grep snort
23405 ?? Ss 8:25.86 /usr/pbi/snort-amd64/bin/snort -R 56048 -E -q -l /var/log/snort/snort_em0_vlan1056048 –pid-path /var/run
24490 ?? SNLs 0:28.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
45765 ?? SNs 0:29.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
46524 ?? Ss 0:03.79 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47171 ?? SNs 0:03.70 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47645 ?? SNs 0:03.76 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
52671 0 S+ 0:00.00 grep snortVersion 2.1-RC1 (amd64)
built on Mon Aug 19 16:16:39 EDT 2013
FreeBSD 8.3-RELEASE-p9Looks like you have multiple VLANs on a single interface. I did not test that way. I have just single IP blocks on each of my three interfaces, and I get only single instances of Snort per interface.
I have a theory about what could be happening. Unfortunately, if my theory is correct, this may be a hard bug to quash. Let me ponder on it and maybe also set up a VLAN configuration similar to yours. Without giving away too much private information, can you post a high-level description of how your Snort interfaces are configured in terms of VLANs (number per interface, etc.)?
Bill
-
Hello,
I have a small feature request. Would it be possible for the alerts tab to have a DNS lookup button under IPs shown (both source and destination) that opens a new tab and performs the same function as looking up an IP in Diagnostics>DNS lookup and displaying the results? Performing DNS lookups for all IPs showing up on alerts is not wanted or encouraged, just specific IPs. Saves me having to manually copy+paste the IP in DNS lookup.Thank you.
-
If I may add a feature for DNS lookup. A country flag next to the IP in the alerts and blocked tab…
Making it real easy to see where its coming from?
@jflsakfja:
Hello,
I have a small feature request. Would it be possible for the alerts tab to have a DNS lookup button under IPs shown (both source and destination) that opens a new tab and performs the same function as looking up an IP in Diagnostics>DNS lookup and displaying the results? Performing DNS lookups for all IPs showing up on alerts is not wanted or encouraged, just specific IPs. Saves me having to manually copy+paste the IP in DNS lookup.Thank you.
-
If I may add a feature for DNS lookup. A country flag next to the IP in the alerts and blocked tab…
Making it real easy to see where its coming from?
I believe that would require to perform the lookups in advance for all IPs, which could overload some low bandwidth connections. I'm getting hundreds of alerts per hour for example. Personally I don't think that is a good idea. If there is a way to store the country IPs in RAM and perform the country lookup there, I'd be fine with that.
Edit: completely missed my mind: The functionality wanted is the exact same functionality offered by the "blue i" button next to IPs in the firewall logs
-
If I may add a feature for DNS lookup. A country flag next to the IP in the alerts and blocked tab…
Making it real easy to see where its coming from?
@jflsakfja:
Hello,
I have a small feature request. Would it be possible for the alerts tab to have a DNS lookup button under IPs shown (both source and destination) that opens a new tab and performs the same function as looking up an IP in Diagnostics>DNS lookup and displaying the results? Performing DNS lookups for all IPs showing up on alerts is not wanted or encouraged, just specific IPs. Saves me having to manually copy+paste the IP in DNS lookup.Thank you.
While i understand on a high traffic network with alot of alerts this may not be wanted but to have the option would be fantastic. Maybe something that is enabled or disabled.. Good idea anyways. :-D
-
An option to display all IP's country that can be enabled and the "blue i" button next to the IP in the alerts/blocked tabs disappears when the option is enabled, when it is disabled, the "blue i" button is shown next to IPs (to prevent flooding the network with lookups)? Everybody is happy then ;D
-
I will take a look and see what's possible with regards to the DNS lookups on the Alerts and Blocked tabs. I like the idea of the blue icon and then a pop-up window containing the lookup results when clicked. That is the least I/O intensive procedure.
Bill
-
Unfortunately, I still reproduce the problem. Usually occurs after snort restarts after downloading new rules.
[2.1-RC1][admin@sense.home]/root(1): ps -ax | grep snort
23405 ?? Ss 8:25.86 /usr/pbi/snort-amd64/bin/snort -R 56048 -E -q -l /var/log/snort/snort_em0_vlan1056048 –pid-path /var/run
24490 ?? SNLs 0:28.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
45765 ?? SNs 0:29.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
46524 ?? Ss 0:03.79 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47171 ?? SNs 0:03.70 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47645 ?? SNs 0:03.76 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
52671 0 S+ 0:00.00 grep snortVersion 2.1-RC1 (amd64)
built on Mon Aug 19 16:16:39 EDT 2013
FreeBSD 8.3-RELEASE-p9Looks like you have multiple VLANs on a single interface. I did not test that way. I have just single IP blocks on each of my three interfaces, and I get only single instances of Snort per interface.
I have a theory about what could be happening. Unfortunately, if my theory is correct, this may be a hard bug to quash. Let me ponder on it and maybe also set up a VLAN configuration similar to yours. Without giving away too much private information, can you post a high-level description of how your Snort interfaces are configured in terms of VLANs (number per interface, etc.)?
Bill
I have a similar issue. If there rc.start_packages is called, snort doesn't restart correctly. It will create new instances of snort… I've maxed out of resources on my box because of this..
[2.1-RC1][/root(1): ps -ax | grep snort 11617 ?? SNs 0:19.21 /usr/pbi/snort-i386/bin/snort -R 63656 -D -q -l /var/log/snort/snort_em0_vlan563656 --pid-path /var/run --nolock-pidfile -G 63656 -c /usr/pbi/snort-i386/etc 12256 ?? SNs 9:30.06 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/etc/snort 18390 ?? SNs 7:23.96 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/snort/sn 42825 ?? SNs 4:17.50 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/etc/snort 56893 ?? SNs 1:41.06 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/etc/snort 67712 ?? SNs 1:26.93 /usr/pbi/snort-i386/bin/snort -R 63656 -D -q -l /var/log/snort/snort_em0_vlan563656 --pid-path /var/run --nolock-pidfile -G 63656 -c /usr/pbi/snort-i386/etc 74458 ?? SNs 0:17.27 /usr/pbi/snort-i386/bin/snort -R 59292 -D -q -l /var/log/snort/snort_em359292 --pid-path /var/run --nolock-pidfile -G 59292 -c /usr/pbi/snort-i386/etc/snort 76099 ?? SNs 3:40.18 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/snort/sn 90876 ?? SNs 1:26.13 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/snort/sn 93617 ?? SNs 0:05.95 /usr/pbi/snort-i386/bin/snort -R 63656 -D -q -l /var/log/snort/snort_em0_vlan563656 --pid-path /var/run --nolock-pidfile -G 63656 -c /usr/pbi/snort-i386/etc 63880 0 S+ 0:00.02 grep snort [2.1-RC1][root@pfsense.cino.homeip.net]/root(2):
-
can you post a high-level description of how your Snort interfaces are configured in terms of VLANs (number per interface, etc.)?
Sorry about the tardy response, Bill. I have been traveling with intermittent to no internet connectivity.
Here's my config on pfSense:
VLAN10 WAN
VLAN11 LAN
VLAN12 GAN // Guest LANsnort:
WAN IPS security profile
LAN All other categories that aren't included in security profileBoth interfaces are configured for AC.
Sorry about the incomplete info. I am reciting from memory.
-
Cino and pfSenseRocks:
Thank you for the feedback on the multiple instances problem. I will be tied up the next few days on some business and then personal stuff, so it will be after the U.S. Labor Day Holiday (September 2nd) before I can devote a lot of time to researching this issue. The hint about rc.start_packages is helpful. I will see if I can get to the bottom of the problem, though. Different manifestations of what are probably the same underlying bug have shown up over the last year with Snort and restarts. Sometimes it seems to be fixed, and then it pops up again. Obviously we have not yet found the true root cause.
Bill
-
Bill,
For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be
GW Log
Aug 28 10:41:13 apinger: SIGHUP received, reloading configuration. Aug 28 10:41:13 apinger: SIGHUP received, reloading configuration. Aug 28 10:40:58 apinger: SIGHUP received, reloading configuration. Aug 28 10:40:09 apinger: alarm canceled (config reload): WAN_DHCP(X.X.208.1) *** WAN_DHCPdown *** Aug 28 10:40:09 apinger: SIGHUP received, reloading configuration. Aug 28 10:39:53 apinger: ALARM: WAN_DHCP(X.X.208.1) *** WAN_DHCPdown ***
System Log
Aug 28 10:47:25 sshd[6872]: Accepted keyboard-interactive/pam for root from 192.168.200.6 port 28523 ssh2 Aug 28 10:43:28 SnortStartup[11968]: Snort SOFT RESTART for WLAN Guest Alerting(63656_em0_vlan5)... Aug 28 10:43:22 SnortStartup[10757]: Snort SOFT RESTART for WLAN Guest Alerting(63656_em0_vlan5)... Aug 28 10:43:19 kernel: em2: promiscuous mode enabled Aug 28 10:43:11 SnortStartup[9674]: Snort START for LAN Alerting(5622_em2)... Aug 28 10:43:09 SnortStartup[8925]: Snort SOFT RESTART for WAN Alerting(59292_em3)... Aug 28 10:43:02 SnortStartup[7961]: Snort START for LAN Alerting(5622_em2)... Aug 28 10:42:58 SnortStartup[6717]: Snort START for WAN Alerting(59292_em3)... Aug 28 10:42:57 kernel: em3: promiscuous mode enabled Aug 28 10:42:45 SnortStartup[67423]: Snort START for WAN Blocking(60770_em3)... Aug 28 10:42:38 kernel: em2: promiscuous mode disabled Aug 28 10:42:37 snort[9920]: *** Caught Term-Signal Aug 28 10:42:36 SnortStartup[64481]: Snort STOP for LAN Alerting(5622_em2)... Aug 28 10:42:33 SnortStartup[60383]: Snort START for WAN Blocking(60770_em3)... Aug 28 10:42:31 SnortStartup[57262]: Snort START for WLAN Guest Alerting(63656_em0_vlan5)... Aug 28 10:42:28 kernel: em2: promiscuous mode enabled Aug 28 10:42:24 kernel: em3: promiscuous mode disabled Aug 28 10:42:24 snort[73635]: *** Caught Term-Signal Aug 28 10:42:23 SnortStartup[5755]: Snort STOP for WAN Alerting(59292_em3)... Aug 28 10:42:20 bandwidthd: Drawing initial graphs Aug 28 10:42:20 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:20 bandwidthd: Drawing initial graphs Aug 28 10:42:20 bandwidthd: Opening em2 Aug 28 10:42:20 bandwidthd: Finished recovering 8648 records Aug 28 10:42:20 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:20 bandwidthd: Opening em2 Aug 28 10:42:20 bandwidthd: Finished recovering 1761 records Aug 28 10:42:20 bandwidthd: Recovering from log.1.0.cdf Aug 28 10:42:20 bandwidthd: Finished recovering 4016 records Aug 28 10:42:20 bandwidthd: Recovering from log.1.1.cdf Aug 28 10:42:20 bandwidthd: Finished recovering 4015 records Aug 28 10:42:20 bandwidthd: Recovering from log.2.0.cdf Aug 28 10:42:20 bandwidthd: Finished recovering 1131 records Aug 28 10:42:20 bandwidthd: Drawing initial graphs Aug 28 10:42:20 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:20 bandwidthd: Opening em2 Aug 28 10:42:20 bandwidthd: Drawing initial graphs Aug 28 10:42:20 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:20 bandwidthd: Finished recovering 123 records Aug 28 10:42:20 bandwidthd: Opening em2 Aug 28 10:42:20 bandwidthd: Recovering from log.4.0.cdf Aug 28 10:42:20 bandwidthd: Finished recovering 2696 records Aug 28 10:42:20 bandwidthd: Recovering from log.2.1.cdf Aug 28 10:42:20 bandwidthd: Finished recovering 1208 records Aug 28 10:42:20 bandwidthd: Recovering from log.1.2.cdf Aug 28 10:42:20 bandwidthd: Recovering from log.3.0.cdf Aug 28 10:42:20 bandwidthd: Recovering from log.2.2.cdf Aug 28 10:42:20 bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0 Aug 28 10:42:20 bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0 Aug 28 10:42:19 snort[63368]: *** Caught Term-Signal Aug 28 10:42:18 SnortStartup[1275]: Snort STOP for WAN Blocking(60770_em3)... Aug 28 10:42:18 bandwidthd: Finished recovering 2696 records Aug 28 10:42:18 bandwidthd: Recovering from log.2.1.cdf Aug 28 10:42:18 bandwidthd: Finished recovering 1208 records Aug 28 10:42:18 bandwidthd: Drawing initial graphs Aug 28 10:42:18 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:18 bandwidthd: Opening em2 Aug 28 10:42:18 bandwidthd: Finished recovering 123 records Aug 28 10:42:18 bandwidthd: Recovering from log.3.0.cdf Aug 28 10:42:18 bandwidthd: Recovering from log.4.0.cdf Aug 28 10:42:18 bandwidthd: Recovering from log.1.2.cdf Aug 28 10:42:18 bandwidthd: Recovering from log.2.2.cdf Aug 28 10:42:18 bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0 Aug 28 10:42:18 bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0 Aug 28 10:42:16 php: rc.start_packages: The command '/usr/local/etc/rc.d/bandwidthd.sh stop' returned exit code '1', the output was 'No matching processes were found' Aug 28 10:42:14 squid[78388]: Squid Parent: (squid-1) process 78602 started Aug 28 10:42:14 squid[78388]: Squid Parent: will start 1 kids Aug 28 10:42:14 squid[77880]: Squid Parent: (squid-1) process 78063 started Aug 28 10:42:13 squid[77880]: Squid Parent: will start 1 kids Aug 28 10:42:11 squid[57908]: Squid Parent: (squid-1) process 58242 exited with status 0 Aug 28 10:42:10 squid[60746]: Squid Parent: (squid-1) process 61166 exited with status 0 Aug 28 10:42:10 SnortStartup[74072]: Snort START for LAN Alerting(5622_em2)... Aug 28 10:42:07 bandwidthd: Drawing initial graphs Aug 28 10:42:07 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:07 bandwidthd: Opening em2 Aug 28 10:42:07 bandwidthd: Finished recovering 8648 records Aug 28 10:42:07 bandwidthd: Drawing initial graphs Aug 28 10:42:07 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:07 bandwidthd: Opening em2 Aug 28 10:42:07 bandwidthd: Finished recovering 1761 records Aug 28 10:42:07 bandwidthd: Recovering from log.1.0.cdf Aug 28 10:42:07 bandwidthd: Finished recovering 4016 records Aug 28 10:42:07 bandwidthd: Recovering from log.2.0.cdf Aug 28 10:42:07 bandwidthd: Finished recovering 1131 records Aug 28 10:42:07 bandwidthd: Drawing initial graphs Aug 28 10:42:07 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:07 bandwidthd: Opening em2 Aug 28 10:42:07 bandwidthd: Finished recovering 123 records Aug 28 10:42:07 bandwidthd: Recovering from log.2.1.cdf Aug 28 10:42:07 bandwidthd: Finished recovering 1208 records Aug 28 10:42:07 bandwidthd: Recovering from log.1.1.cdf Aug 28 10:42:07 bandwidthd: Finished recovering 4015 records Aug 28 10:42:07 bandwidthd: Recovering from log.2.2.cdf Aug 28 10:42:07 bandwidthd: Drawing initial graphs Aug 28 10:42:07 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:07 bandwidthd: Opening em2 Aug 28 10:42:07 bandwidthd: Finished recovering 2696 records Aug 28 10:42:07 bandwidthd: Recovering from log.4.0.cdf Aug 28 10:42:07 bandwidthd: Recovering from log.3.0.cdf Aug 28 10:42:07 bandwidthd: Recovering from log.1.2.cdf Aug 28 10:42:07 bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0 Aug 28 10:42:07 bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0 Aug 28 10:42:06 SnortStartup[70343]: Snort START for WAN Alerting(59292_em3)... Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: Not calling package sync code for dependency squidreverse of squid3-dev because some include files are missing. Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:05 bandwidthd: Drawing initial graphs Aug 28 10:42:05 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:05 bandwidthd: Opening em2 Aug 28 10:42:05 bandwidthd: Finished recovering 2696 records Aug 28 10:42:05 bandwidthd: Recovering from log.2.1.cdf Aug 28 10:42:05 bandwidthd: Finished recovering 1208 records Aug 28 10:42:05 bandwidthd: Recovering from log.2.2.cdf Aug 28 10:42:05 bandwidthd: Drawing initial graphs Aug 28 10:42:05 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:05 bandwidthd: Opening em2 Aug 28 10:42:05 bandwidthd: Finished recovering 123 records Aug 28 10:42:05 bandwidthd: Recovering from log.4.0.cdf Aug 28 10:42:05 bandwidthd: Recovering from log.1.2.cdf Aug 28 10:42:05 bandwidthd: Recovering from log.3.0.cdf Aug 28 10:42:05 bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0 Aug 28 10:42:05 bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0 Aug 28 10:42:04 kernel: em3: promiscuous mode enabled Aug 28 10:42:03 php: rc.start_packages: The command '/usr/local/etc/rc.d/bandwidthd.sh stop' returned exit code '1', the output was 'No matching processes were found' Aug 28 10:42:03 check_reload_status: Syncing firewall Aug 28 10:42:01 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml Aug 28 10:42:01 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml Aug 28 10:42:01 squid[60746]: Squid Parent: (squid-1) process 61166 started Aug 28 10:42:01 squid[60746]: Squid Parent: will start 1 kids Aug 28 10:42:01 squid[57908]: Squid Parent: (squid-1) process 58242 started Aug 28 10:42:01 squid[57908]: Squid Parent: will start 1 kids Aug 28 10:42:00 upsmon[42711]: Communications with UPS APC_Back-UPS_ES550@localhost established Aug 28 10:42:00 upsd[42078]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550] Aug 28 10:41:59 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:59 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:59 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:59 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:58 squid[33548]: Squid Parent: (squid-1) process 33781 exited with status 0 Aug 28 10:41:58 squid[32797]: Squid Parent: (squid-1) process 33693 exited with status 0 Aug 28 10:41:57 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml Aug 28 10:41:57 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml Aug 28 10:41:55 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml Aug 28 10:41:55 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml Aug 28 10:41:55 upsmon[42711]: Communications with UPS APC_Back-UPS_ES550@localhost lost Aug 28 10:41:55 upsmon[42711]: Poll UPS [APC_Back-UPS_ES550@localhost] failed - Write error: Operation not permitted Aug 28 10:41:54 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:54 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:54 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:54 php: rc.start_packages: Not calling package sync code for dependency squidreverse of squid3-dev because some include files are missing. Aug 28 10:41:54 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:50 upsd[42078]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550] Aug 28 10:41:50 upsmon[42403]: Startup successful Aug 28 10:41:50 upsd[42078]: Startup successful Aug 28 10:41:50 upsd[41895]: Connected to UPS [APC_Back-UPS_ES550]: usbhid-ups-APC_Back-UPS_ES550 Aug 28 10:41:50 upsd[41895]: listening on 127.0.0.1 port 3493 Aug 28 10:41:50 upsd[41895]: listening on ::1 port 3493 Aug 28 10:41:50 usbhid-ups[41650]: Startup successful Aug 28 10:41:49 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml Aug 28 10:41:49 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml Aug 28 10:41:47 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:47 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:47 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:47 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:45 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml Aug 28 10:41:45 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml Aug 28 10:41:44 usbhid-ups[81311]: Signal 15: exiting Aug 28 10:41:44 upsd[81483]: Signal 15: exiting Aug 28 10:41:44 upsd[81483]: mainloop: Interrupted system call Aug 28 10:41:43 upsd[81483]: User monuser@127.0.0.1 logged out from UPS [APC_Back-UPS_ES550] Aug 28 10:41:43 upsmon[82138]: Signal 15: exiting Aug 28 10:41:43 kernel: em0_vlan5: promiscuous mode enabled Aug 28 10:41:43 kernel: em0: promiscuous mode enabled Aug 28 10:41:42 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml Aug 28 10:41:42 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml Aug 28 10:41:41 SnortStartup[91233]: Snort START for WAN Blocking(60770_em3)... Aug 28 10:41:41 kernel: em0_vlan5: promiscuous mode disabled Aug 28 10:41:41 kernel: em0: promiscuous mode disabled Aug 28 10:41:37 upsd[81483]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550] Aug 28 10:41:37 upsmon[81868]: Startup successful Aug 28 10:41:37 upsd[81483]: Startup successful Aug 28 10:41:37 upsd[81321]: Connected to UPS [APC_Back-UPS_ES550]: usbhid-ups-APC_Back-UPS_ES550 Aug 28 10:41:37 upsd[81321]: listening on 127.0.0.1 port 3493 Aug 28 10:41:37 upsd[81321]: listening on ::1 port 3493 Aug 28 10:41:37 usbhid-ups[81311]: Startup successful Aug 28 10:41:36 check_reload_status: Syncing firewall Aug 28 10:41:36 snort[81642]: *** Caught Term-Signal Aug 28 10:41:35 SnortStartup[78667]: Snort STOP for WLAN Guest Alerting(63656_em0_vlan5)... Aug 28 10:41:32 usbhid-ups[60672]: Signal 15: exiting Aug 28 10:41:32 upsd[61343]: Signal 15: exiting Aug 28 10:41:32 upsd[61343]: mainloop: Interrupted system call Aug 28 10:41:32 upsd[61343]: User monuser@127.0.0.1 logged out from UPS [APC_Back-UPS_ES550] Aug 28 10:41:32 upsmon[61642]: Signal 15: exiting Aug 28 10:41:31 kernel: em2: promiscuous mode disabled Aug 28 10:41:31 snort[57737]: *** Caught Term-Signal Aug 28 10:41:31 SnortStartup[67098]: Snort STOP for LAN Alerting(5622_em2)... Aug 28 10:41:28 php: rc.start_packages: Restarting/Starting all packages. Aug 28 10:41:28 kernel: em3: promiscuous mode disabled Aug 28 10:41:28 snort[56544]: *** Caught Term-Signal Aug 28 10:41:27 SnortStartup[59861]: Snort STOP for WAN Alerting(59292_em3)... Aug 28 10:41:24 snort[53396]: *** Caught Term-Signal Aug 28 10:41:23 SnortStartup[56750]: Snort STOP for WAN Blocking(60770_em3)... Aug 28 10:41:21 php: rc.newwanip: pfSense package system has detected an ip change 172.16.50.1 -> 172.16.50.1 ... Restarting packages. Aug 28 10:41:21 php: rc.newwanip: pfSense package system has detected an ip change 192.168.200.1 -> 192.168.200.1 ... Restarting packages. Aug 28 10:41:19 php: rc.newwanip: Creating rrd update script Aug 28 10:41:18 php: rc.newwanip: Creating rrd update script Aug 28 10:41:15 php: rc.start_packages: Restarting/Starting all packages. Aug 28 10:41:13 php: rc.newwanip: rc.newwanip: on (IP address: 172.16.50.1) (interface: opt2) (real interface: ovpns2). Aug 28 10:41:13 php: rc.newwanip: rc.newwanip: Informational is starting ovpns2. Aug 28 10:41:13 php: rc.newwanip: rc.newwanip: on (IP address: 192.168.200.1) (interface: opt1) (real interface: ovpns1). Aug 28 10:41:13 php: rc.newwanip: rc.newwanip: Informational is starting ovpns1. Aug 28 10:41:13 ntpd_intres[52667]: ntpd exiting on signal 15 Aug 28 10:41:12 check_reload_status: Starting packages Aug 28 10:41:12 php: rc.newwanip: pfSense package system has detected an ip change x.x.210.112 -> x.x.210.112 ... Restarting packages. Aug 28 10:41:10 check_reload_status: rc.newwanip starting ovpns2 Aug 28 10:41:10 kernel: ovpns2: link state changed to UP Aug 28 10:41:10 bandwidthd: Drawing initial graphs Aug 28 10:41:10 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:10 bandwidthd: Opening em2 Aug 28 10:41:10 php: rc.newwanip: Creating rrd update script Aug 28 10:41:10 bandwidthd: Finished recovering 1761 records Aug 28 10:41:10 bandwidthd: Drawing initial graphs Aug 28 10:41:10 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:10 bandwidthd: Opening em2 Aug 28 10:41:10 bandwidthd: Finished recovering 8648 records Aug 28 10:41:10 bandwidthd: Recovering from log.1.0.cdf Aug 28 10:41:10 bandwidthd: Finished recovering 4016 records Aug 28 10:41:10 bandwidthd: Recovering from log.1.1.cdf Aug 28 10:41:10 bandwidthd: Finished recovering 4015 records Aug 28 10:41:10 bandwidthd: Drawing initial graphs Aug 28 10:41:10 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:10 bandwidthd: Opening em2 Aug 28 10:41:10 bandwidthd: Finished recovering 2696 records Aug 28 10:41:10 bandwidthd: Recovering from log.2.0.cdf Aug 28 10:41:10 bandwidthd: Finished recovering 1131 records Aug 28 10:41:10 bandwidthd: Recovering from log.2.1.cdf Aug 28 10:41:10 bandwidthd: Finished recovering 1208 records Aug 28 10:41:10 bandwidthd: Drawing initial graphs Aug 28 10:41:10 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:10 bandwidthd: Opening em2 Aug 28 10:41:10 bandwidthd: Finished recovering 123 records Aug 28 10:41:10 bandwidthd: Recovering from log.1.2.cdf Aug 28 10:41:10 bandwidthd: Recovering from log.4.0.cdf Aug 28 10:41:10 bandwidthd: Recovering from log.2.2.cdf Aug 28 10:41:10 bandwidthd: Recovering from log.3.0.cdf Aug 28 10:41:10 bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0 Aug 28 10:41:10 bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0 Aug 28 10:41:10 check_reload_status: rc.newwanip starting ovpns1 Aug 28 10:41:10 kernel: ovpns2: link state changed to DOWN Aug 28 10:41:10 kernel: in6_purgeaddr: node-local all-nodesmulticast address deletion error Aug 28 10:41:10 kernel: ovpns1: link state changed to UP Aug 28 10:41:10 check_reload_status: Reloading filter Aug 28 10:41:10 php: rc.newwanip: Resyncing OpenVPN instances for interface WAN. Aug 28 10:41:08 bandwidthd: Drawing initial graphs Aug 28 10:41:08 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:08 bandwidthd: Opening em2 Aug 28 10:41:08 bandwidthd: Finished recovering 8648 records Aug 28 10:41:08 bandwidthd: Drawing initial graphs Aug 28 10:41:08 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:08 bandwidthd: Opening em2 Aug 28 10:41:08 bandwidthd: Drawing initial graphs Aug 28 10:41:08 bandwidthd: Finished recovering 1761 records Aug 28 10:41:08 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:08 bandwidthd: Recovering from log.1.0.cdf Aug 28 10:41:08 bandwidthd: Opening em2 Aug 28 10:41:08 bandwidthd: Finished recovering 4016 records Aug 28 10:41:08 bandwidthd: Finished recovering 2696 records Aug 28 10:41:08 bandwidthd: Recovering from log.1.1.cdf Aug 28 10:41:08 bandwidthd: Recovering from log.3.0.cdf Aug 28 10:41:08 bandwidthd: Finished recovering 4015 records Aug 28 10:41:08 bandwidthd: Drawing initial graphs Aug 28 10:41:08 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:08 bandwidthd: Opening em2 Aug 28 10:41:08 bandwidthd: Finished recovering 123 records Aug 28 10:41:08 bandwidthd: Recovering from log.4.0.cdf Aug 28 10:41:08 bandwidthd: Recovering from log.2.0.cdf Aug 28 10:41:08 bandwidthd: Finished recovering 1131 records Aug 28 10:41:08 bandwidthd: Recovering from log.2.1.cdf Aug 28 10:41:08 bandwidthd: Finished recovering 1208 records Aug 28 10:41:08 bandwidthd: Recovering from log.1.2.cdf Aug 28 10:41:08 bandwidthd: Recovering from log.2.2.cdf Aug 28 10:41:08 bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0 Aug 28 10:41:08 bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0 Aug 28 10:41:08 php: rc.start_packages: The command '/usr/local/etc/rc.d/bandwidthd.sh stop' returned exit code '1', the output was 'No matching processes were found' Aug 28 10:41:06 php: rc.start_packages: The command '/usr/local/etc/rc.d/bandwidthd.sh stop' returned exit code '1', the output was 'No matching processes were found' Aug 28 10:41:06 check_reload_status: Syncing firewall Aug 28 10:41:05 lighttpd[21678]: (connections.c.305) SSL: 1 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Aug 28 10:41:04 squid[33548]: Squid Parent: (squid-1) process 33781 started Aug 28 10:41:04 squid[32797]: Squid Parent: (squid-1) process 33693 started Aug 28 10:41:04 squid[33548]: Squid Parent: will start 1 kids Aug 28 10:41:04 squid[32797]: Squid Parent: will start 1 kids Aug 28 10:41:01 php: rc.start_packages: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '' Aug 28 10:41:01 squid[80084]: Squid Parent: (squid-1) process 80621 exited with status 0 Aug 28 10:41:01 check_reload_status: updating dyndns wan Aug 28 10:41:01 squid[80808]: Squid Parent: (squid-1) process 81403 exited with status 0 Aug 28 10:40:59 dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process. Aug 28 10:40:58 php: rc.newwanip: ROUTING: setting default route to x.x.208.1 Aug 28 10:40:58 php: rc.newwanip: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:58 kernel: in6_purgeaddr: link-local all-nodesmulticast address deletion error Aug 28 10:40:58 php: rc.newwanip: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:58 php: rc.newwanip: The command '/sbin/ifconfig 'gif0' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Aug 28 10:40:58 php: rc.newwanip: The command '/sbin/ifconfig 'gif0' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Aug 28 10:40:58 php: rc.newwanip: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:58 dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process. Aug 28 10:40:58 kernel: in6_purgeaddr: link-local all-nodesmulticast address deletion error Aug 28 10:40:58 kernel: in6_purgeaddr: link-local all-nodesmulticast address deletion error Aug 28 10:40:58 php: rc.newwanip: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:58 php: rc.newwanip: rc.newwanip: on (IP address: x.x.210.112) (interface: wan) (real interface: em3). Aug 28 10:40:58 php: rc.newwanip: rc.newwanip: Informational is starting em3. Aug 28 10:40:57 lighttpd[21678]: (connections.c.305) SSL: 1 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: Not calling package sync code for dependency squidreverse of squid3-dev because some include files are missing. Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.linkup: ROUTING: setting default route to x.x.208.1 Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 kernel: if_rtdel: error 3 Aug 28 10:40:56 kernel: in6_purgeaddr: link-local all-nodesmulticast address deletion error Aug 28 10:40:56 kernel: Aug 28 10:40:56 php: rc.linkup: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 check_reload_status: rc.newwanip starting em3 Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:55 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:54 upsmon[61642]: Communications with UPS APC_Back-UPS_ES550@localhost established Aug 28 10:40:54 upsd[61343]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550] Aug 28 10:40:51 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml Aug 28 10:40:51 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml Aug 28 10:40:49 upsmon[61642]: Communications with UPS APC_Back-UPS_ES550@localhost lost Aug 28 10:40:49 upsmon[61642]: Poll UPS [APC_Back-UPS_ES550@localhost] failed - Write error: Operation not permitted Aug 28 10:40:49 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:40:49 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:40:49 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:40:49 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:40:47 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml Aug 28 10:40:47 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml Aug 28 10:40:45 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml Aug 28 10:40:45 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:39 upsd[61343]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550] Aug 28 10:40:39 upsmon[61581]: Startup successful Aug 28 10:40:39 upsd[61343]: Startup successful Aug 28 10:40:39 upsd[61014]: Connected to UPS [APC_Back-UPS_ES550]: usbhid-ups-APC_Back-UPS_ES550 Aug 28 10:40:39 upsd[61014]: listening on 127.0.0.1 port 3493 Aug 28 10:40:39 upsd[61014]: listening on ::1 port 3493 Aug 28 10:40:39 usbhid-ups[60672]: Startup successful Aug 28 10:40:37 ntpd_intres[52667]: host name not found: 3.pool.ntp.org Aug 28 10:40:37 ntpd_intres[52667]: host name not found: 2.pool.ntp.org Aug 28 10:40:37 ntpd_intres[52667]: host name not found: 1.pool.ntp.org Aug 28 10:40:37 ntpd_intres[52667]: host name not found: 0.pool.ntp.org Aug 28 10:40:36 php: rc.filter_configure_sync: Message sent to cino@com OK Aug 28 10:40:34 usbhid-ups[46776]: Signal 15: exiting Aug 28 10:40:34 upsd[46865]: Signal 15: exiting Aug 28 10:40:34 upsd[46865]: mainloop: Interrupted system call Aug 28 10:40:34 upsd[46865]: User monuser@127.0.0.1 logged out from UPS [APC_Back-UPS_ES550] Aug 28 10:40:34 upsmon[46997]: Signal 15: exiting Aug 28 10:40:31 dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process. Aug 28 10:40:31 php: rc.filter_configure_sync: New alert found: There were error(s) loading the rules: pfctl: DIOCADDALTQ: Device busy - The line in question reads [0]: Aug 28 10:40:30 php: rc.linkup: The command '/sbin/ifconfig 'em3' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Aug 28 10:40:30 php: rc.linkup: HOTPLUG: Configuring interface wan Aug 28 10:40:30 php: rc.linkup: DEVD Ethernet attached event for wan Aug 28 10:40:28 kernel: rn_addmask: mask impossibly already in tree Aug 28 10:40:28 php: rc.linkup: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:28 check_reload_status: updating dyndns wan Aug 28 10:40:28 php: rc.linkup: The command '/sbin/ifconfig gif0 tunnel x.x.161.14' returned exit code '1', the output was 'ifconfig: 'tunnel' requires 2 arguments' Aug 28 10:40:28 php: rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf em3 > /tmp/em3_output 2> /tmp/em3_error_output' returned exit code '15', the output was '' Aug 28 10:40:28 php: rc.linkup: DEVD Ethernet detached event for wan Aug 28 10:40:27 check_reload_status: Syncing firewall Aug 28 10:40:27 kernel: em3: link state changed to UP Aug 28 10:40:27 check_reload_status: Linkup starting em3 Aug 28 10:40:25 dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process. Aug 28 10:40:25 php: rc.linkup: The command '/sbin/ifconfig 'em3' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Aug 28 10:40:25 php: rc.linkup: HOTPLUG: Configuring interface wan Aug 28 10:40:25 php: rc.linkup: DEVD Ethernet attached event for wan Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:23 kernel: em3: link state changed to DOWN Aug 28 10:40:23 check_reload_status: Linkup starting em3 Aug 28 10:40:22 kernel: em3: link state changed to UP Aug 28 10:40:22 check_reload_status: Linkup starting em3 Aug 28 10:40:22 php: rc.linkup: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:22 php: rc.linkup: The command '/sbin/ifconfig gif0 tunnel x.x.161.14' returned exit code '1', the output was 'ifconfig: 'tunnel' requires 2 arguments' Aug 28 10:40:22 php: rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf em3 > /tmp/em3_output 2> /tmp/em3_error_output' returned exit code '15', the output was '' Aug 28 10:40:22 php: rc.linkup: DEVD Ethernet detached event for wan Aug 28 10:40:19 kernel: em3: link state changed to DOWN Aug 28 10:40:19 check_reload_status: Linkup starting em3 Aug 28 10:40:19 sshd[37303]: fatal: Write failed: Operation not permitted Aug 28 10:40:19 sshd[37303]: fatal: Write failed: Operation not permitted Aug 28 10:40:19 php: rc.start_packages: Restarting/Starting all packages. Aug 28 10:40:17 sshlockout[6346]: sshlockout/webConfigurator v3.0 starting up Aug 28 10:40:17 sshd[53059]: fatal: Write failed: Operation not permitted Aug 28 10:40:17 sshd[53059]: fatal: Write failed: Operation not permitted Aug 28 10:40:16 check_reload_status: Starting packages Aug 28 10:40:16 php: rc.newwanip: pfSense package system has detected an ip change 172.16.50.1 -> 172.16.50.1 ... Restarting packages. Aug 28 10:40:14 php: rc.newwanip: Creating rrd update script Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:09 php: rc.newwanip: rc.newwanip: on (IP address: 172.16.50.1) (interface: opt2) (real interface: ovpns2). Aug 28 10:40:09 php: rc.newwanip: rc.newwanip: Informational is starting ovpns2. Aug 28 10:40:06 check_reload_status: rc.newwanip starting ovpns2 Aug 28 10:40:06 kernel: ovpns2: link state changed to UP Aug 28 10:40:06 kernel: ovpns2: link state changed to DOWN Aug 28 10:40:06 kernel: in6_purgeaddr: node-local all-nodesmulticast address deletion error Aug 28 10:40:06 php: rc.openvpn: OpenVPN: Resync server2 Site-to-Site VPN Aug 28 10:40:06 kernel: ovpns1: link state changed to DOWN Aug 28 10:40:06 kernel: arpresolve: can't allocate llinfo for x.x.208.1 Aug 28 10:40:05 php: rc.openvpn: OpenVPN: Resync server1 Road Warrior OpenVPN Aug 28 10:40:05 php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP. Aug 28 10:40:03 check_reload_status: Reloading filter Aug 28 10:40:03 check_reload_status: Restarting OpenVPN tunnels/interfaces Aug 28 10:40:03 check_reload_status: Restarting ipsec tunnels Aug 28 10:40:03 check_reload_status: updating dyndns WAN_DHCP Aug 28 10:39:55 kernel: arpresolve: can't allocate llinfo for x.x.208.1 Aug 28 10:39:50 check_reload_status: updating dyndns wan Aug 28 10:39:47 dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process. Aug 28 10:39:47 php: rc.linkup: The command '/sbin/ifconfig 'em3' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Aug 28 10:39:47 php: rc.linkup: HOTPLUG: Configuring interface wan Aug 28 10:39:47 php: rc.linkup: DEVD Ethernet attached event for wan Aug 28 10:39:45 kernel: arpresolve: can't allocate llinfo for x.x.208.1 Aug 28 10:39:45 kernel: em3: link state changed to UP Aug 28 10:39:45 check_reload_status: Linkup starting em3 Aug 28 10:39:44 php: rc.linkup: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:39:44 php: rc.linkup: The command '/sbin/ifconfig gif0 tunnel x.x.161.14' returned exit code '1', the output was 'ifconfig: 'tunnel' requires 2 arguments' Aug 28 10:39:44 php: rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf em3 > /tmp/em3_output 2> /tmp/em3_error_output' returned exit code '15', the output was '' Aug 28 10:39:44 php: rc.linkup: DEVD Ethernet detached event for wan Aug 28 10:39:42 kernel: em3: link state changed to DOWN Aug 28 10:39:42 check_reload_status: Linkup starting em3 Aug 28 10:39:35 kernel: arpresolve: can't allocate llinfo for x.x.208.1 Aug 28 10:39:31 php: rc.linkup: The command '/sbin/ifconfig 'em3' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Aug 28 10:39:31 php: rc.linkup: HOTPLUG: Configuring interface wan Aug 28 10:39:31 php: rc.linkup: DEVD Ethernet attached event for wan Aug 28 10:39:29 php: rc.linkup: Clearing states to old gateway x.x.208.1. Aug 28 10:39:29 kernel: em3: link state changed to UP Aug 28 10:39:29 check_reload_status: Linkup starting em3 Aug 28 10:39:28 php: rc.linkup: DEVD Ethernet detached event for wan Aug 28 10:39:26 kernel: em3: link state changed to DOWN Aug 28 10:39:26 check_reload_status: Linkup starting em3 Aug 28 10:29:46 syslogd: kernel boot file is /boot/kernel/kernel
Snort Processes after WAN interface was bounced
root 4146 0.3 3.7 376720 114452 ?? SNs 10:42AM 0:01.01 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/et root 8189 0.1 3.7 376720 114308 ?? SNs 10:43AM 0:01.03 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/et root 7005 0.0 1.6 317552 48632 ?? SNs 10:43AM 0:00.36 /usr/pbi/snort-i386/bin/snort -R 59292 -D -q -l /var/log/snort/snort_em359292 --pid-path /var/run --nolock-pidfile -G 59292 -c /usr/pbi/snort-i386/et root 9784 0.0 2.9 360560 91932 ?? SNs 10:43AM 0:00.69 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/s root 11440 0.0 2.9 360560 92036 ?? SNs 10:43AM 0:00.70 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/s root 70314 0.0 2.9 359584 91004 ?? SNs 10:42AM 0:00.07 /usr/pbi/snort-i386/bin/snort -R 63656 -D -q -l /var/log/snort/snort_em0_vlan563656 --pid-path /var/run --nolock-pidfile -G 63656 -c /usr/pbi/snort-i
snort_em360770 WAN Blocking
snort_em359292 WAN Alerting
snort_em25622 LAN Alerting
snort_em0_vlan563656 Guest WiFi AlertingStephen
-
Bill,
For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be
Stephen
Thanks! These logs sure do help. I'm thinking VLANs are somehow the culprit. I don't have any defined on my systems, and I do not see the multiple processes. So far, the folks who are seeing multiple processes (too many processes, actually), all seem to have VLANs defined on their Snort interfaces. I'm taking that as a good indicator of where to start looking… ;)
Bill
-
Bill,
For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be
Stephen
Thanks! These logs sure do help. I'm thinking VLANs are somehow the culprit. I don't have any defined on my systems, and I do not see the multiple processes. So far, the folks who are seeing multiple processes (too many processes, actually), all seem to have VLANs defined on their Snort interfaces. I'm taking that as a good indicator of where to start looking… ;)
Bill
Your welcome and thank you for many updates to this fine package.. Only 1 of my sensors is a vlan.. I'm going to disable it and see if that changes anything… If that doesn't, i'll remove the config... Can't remove the vlan interface itself without redoing a lot of work so it will have to stay