Each snort alerts shows up twice in syslog

floz · Mar 5, 2015, 1:23 PM

Hi there,

I'm running Snort 2.9.7.0 pkg v3.2.3 on the latest 2.2 RELEASE of pfSense.

Snort works fine (together with barnyard2 writing to SQL) but all alerts show up twice, see attached.

This happening on both my testbed installs.

Any idea why that might be the case? Interface config attached too. Thanks for any tips!!
![Screen Shot 2015-03-05 at 14.18.05.png](/public/imported_attachments/1/Screen Shot 2015-03-05 at 14.18.05.png)
![Screen Shot 2015-03-05 at 14.18.05.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-05 at 14.18.05.png_thumb)
![Screen Shot 2015-03-05 at 14.19.48.png](/public/imported_attachments/1/Screen Shot 2015-03-05 at 14.19.48.png)
![Screen Shot 2015-03-05 at 14.19.48.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-05 at 14.19.48.png_thumb)

bmeeks · Mar 5, 2015, 9:50 PM

@floz:

Hi there,

I'm running Snort 2.9.7.0 pkg v3.2.3 on the latest 2.2 RELEASE of pfSense.

Snort works fine (together with barnyard2 writing to SQL) but all alerts show up twice, see attached.

This happening on both my testbed installs.

Any idea why that might be the case? Interface config attached too. Thanks for any tips!!

That was a normal "quirk" of earlier pfSense versions. I honestly thought it had been fixed in 2.2, but I have not paid careful attention to my own logs. Do you by chance have Barnyard2 logging to syslog as well as SQL?

EDIT: went back and checked my 2.2 system, and I am not getting double system log entries.

Bill

Nullity · Mar 5, 2015, 10:00 PM

I have always had occasional spans of double-posts in my logs. Considering that I had no obvious problems otherwise, I ignored it.

Perhaps I should debug it…

fsansfil · Mar 6, 2015, 2:45 AM

Are you only seeing these doubles on Snort preprocessors rules ? (http_inspect, portscan, ssp_ssl)

Do you see the same with ET or Snort VRT rules?

F.

floz · Mar 6, 2015, 7:24 AM

Thanks for your responses, fellows!

@ bmeeks - no, barnyard is not set to log to syslog. Config attached.

@ fsansfil - yes, seeing duplicates for all alerts, including e.g. ET…

Also, in case you were wondering, neither snort nor barnyard are running twice:

[2.2-RELEASE][admin@xxxxxxxxxxxxx]/root: ps aux | grep sno
root  99679    0.7  2.1 2499540 2117944  -  SNs  12:06AM    18:14.44 /usr/local/bin/snort -R 28189 -D -q --suppress-config-log -l /var/log/snort/snort_bce028189 --pid-path /var/run --nolock-pidfile -G 28189 -c /usr/pbi/snort-amd64/etc/snort/snort_28189_bce0/snort.conf -i
root  48491    0.0  0.1  118424   86080  -  Ss    8:09AM     3:01.54 /usr/local/bin/barnyard2 -r 28189 -f snort_28189_bce0.u2 --pid-path /var/run --nolock-pidfile -c /usr/pbi/snort-amd64/etc/snort/snort_28189_bce0/barnyard2.conf -d /var/log/snort/snort_bce028189 -D -q
root  57369    0.0  0.0   18884    2388  0  S+    8:18AM     0:00.00 grep sno

bmeeks · Mar 6, 2015, 11:45 PM

Are any of the other system log entries (meaning non-Snort related ones) showing up twice? As I mentioned, that used to be a quirk of the system logging process in older pfSense versions. But I was thinking that got fixed back in 2.1.x.

I don't know much about the internals of pfSense syslog. Maybe one of the developers will see this thread and chime in.

Bill

floz · Mar 7, 2015, 8:20 AM

Hi Bill,

No, no duplicates otherwise, just snort alerts (but not, eg. snort startup notices).