Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT sending emails about cron

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      electriAQ
      last edited by

      After updating to the latest version of pfsense I've started to receive emails from snort everyday. They are titled as

      Cron root@pfsense/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php/root@pfsense

      and contain

      X-Cron-Env: <shell= bin="" sh="">X-Cron-Env: <path= etc:="" bin:="" sbin:="" usr="" sbin="">X-Cron-Env: <home= var="" log="">X-Cron-Env: <logname=root>X-Cron-Env: <user=root>4%        8%      50%      100%</user=root></logname=root></home=></path=></shell=>

      What are they, are they a cause for concern and how do I stop them?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @spudy12:

        After updating to the latest version of pfsense I've started to receive emails from snort everyday. They are titled as

        Cron root@pfsense/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php/root@pfsense

        and contain

        X-Cron-Env: <shell= bin="" sh="">X-Cron-Env: <path= etc:="" bin:="" sbin:="" usr="" sbin="">X-Cron-Env: <home= var="" log="">X-Cron-Env: <logname=root>X-Cron-Env: <user=root>4%        8%      50%      100%</user=root></logname=root></home=></path=></shell=>

        What are they, are they a cause for concern and how do I stop them?

        Those are likely coming from the automatic rule set update scheduled on the GLOBAL SETTINGS tab.  I will need to think about a way to silence them or else include better information.

        Bill

        1 Reply Last reply Reply Quote 0
        • E
          electriAQ
          last edited by

          Ah okay so it's nothing to worry about?
          I just assumed as it was sending an alert it was something that was not good (to much of that with my NAS lately)

          Also my Alert list is being spammed with

          (http_inspect) UNKNOWN METHOD

          Is there anyway to limit the number of these logged or turn it off altogether?

          Cheers!

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @spudy12:

            Ah okay so it's nothing to worry about?
            I just assumed as it was sending an alert it was something that was not good (to much of that with my NAS lately)

            Also my Alert list is being spammed with

            (http_inspect) UNKNOWN METHOD

            Is there anyway to limit the number of these logged or turn it off altogether?

            Cheers!

            The cron e-mail is a never-mind.  Just spam.  I will see if I can get rid of in an upcoming update.

            As for the http_inspect alert, those are very common.  So common, in fact, that I wonder why the rule authors even keep them in their packages.  But since they do, my advice is either disable the rule or suppress it.  A suppressed rule still "fires", but Snort eats the alert.  A disabled rule never wastes CPU time being used to inspect against traffic, since disabled rules are not loaded.  Which to use is your call as admin.  I have chosen to disable the rule.  You can do that either on the RULES tab by selecting Preprocessor Rules in the drop-down, or (easier method) find the alert on the ALERTS tab display and click the red X icon to add the rule to the forced disabled list.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.