Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort will not stay started as of dec7 and 9 snapshot build

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    2 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jsbsmd
      last edited by

      running

      pfsense
      built on Sun Dec 9 04:41:14 EST 2012 i386

      snort
      2.9.2.3 pkg v. 2.5.2

      it seems that snort will load, update codes, but as soon as I invoke the WAN(ppoe) interface, it will stop the snort service.

      attached is portion of the syslog. I cant seem to see anything indicating why it is stopping.

      any suggestions?

      syslog1.txt

      1 Reply Last reply Reply Quote 0
      • J
        jsbsmd
        last edited by

        just a bit of an update.

        if i manually start snort from the command line it work fine.

        ie: '/usr/local/bin/snort -R 4941 -D -q -l /var/log/snort/snort_pppoe04941 –pid-path /var/run --nolock-pidfile -G 4941 -c /usr/local/etc/snort/snort_4941_pppoe0/snort.conf -i fxp0' > /var/run/snort_pppoe04941.pid

        however if i use the snort.sh, it does not startup. im certain it has to do with the "-i pppoe". I'm not the greatest sh programmer. any suggestions on how to fix the snort.sh to use the right interface name?

        rc_start() {

        For Each Iface

        Only try to restart if snort is running on Iface

        if [ ! -f /var/run/snort_pppoe04941.pid ]; then
        /bin/pgrep -xf '/usr/local/bin/snort -R 4941 -D -q -l /var/log/snort/snort_pppoe04941 –pid-path /var/run --nolock-pidfile -G 4941 -c /usr/local/etc/snort/snort_4941_pppoe0/snort.conf -i pppoe' > /var/run/snort_pppoe04941.pid
        fi
        /bin/pgrep -nF /var/run/snort_pppoe04941.pid
        if [ $? = 0 ]; then
        /bin/pkill -HUP -F /var/run/snort_pppoe04941.pid -a
        /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort SOFT START For wan(4941_pppoe0)…"
        else

        Start snort and barnyard2

        /bin/rm /var/run/snort_pppoe04941.pid
        /usr/local/bin/snort -R 4941 -D -q -l /var/log/snort/snort_pppoe04941 --pid-path /var/run --nolock-pidfile -G 4941 -c /usr/local/etc/snort/snort_4941_pppoe0/snort.conf -i pppoe
        /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START For wan(4941_pppoe0)..."
        fi

        sleep 2

        if [ -f /var/run/barnyard2_pppoe04941.pid ]; then
                        /bin/pkill -F /var/run/barnyard2_pppoe04941.pid -a
        /bin/rm /var/run/barnyard2_pppoe04941.pid
        else
        /bin/pkill -xf '/usr/local/bin/barnyard2 -r 4941 -f snort_4941_pppoe0.u2 –pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_4941_pppoe0/barnyard2.conf -d /var/log/snort/snort_pppoe04941 -D -q'
                fi

        }

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.