• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort not restart on interface

IDS/IPS
4
43
2.7k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    fireodo @bmeeks
    last edited by Mar 31, 2020, 2:37 PM

    @bmeeks said in Snort not restart on interface:

    And things get even more confusing because Snort is actually using the libpcap library to capture packets on the configured interface. So that means libpcap has to see the interface change as well.

    Not saying Snort is without fault here, but there very well could be other issues as well.

    I'm glad that you make yourself also thoughts about this. This kind of disconnection is very rare, it occurs only when the provider makes any changes to the DSLAM (or in his Network). This was last weekend the case (after about 165 days without resync) and so I discovered the issue (thanks to Corona I am in Homeoffice so I have more time to check things in my Home-network ;-) ). One day before came the 2.4.5 update so my first thought was in context of the update but now I think that could be a more older problem ...

    Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
    SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
    pfsense 2.7.2 CE
    Packages: Apcupsd Cron Iftop Iperf LCDproc Nmap pfBlockerNG RRD_Summary Shellcmd Snort Speedtest System_Patches.

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by Mar 31, 2020, 2:41 PM

      I have struggled mightily to try and keep Snort and Suricata cognizant of WAN IP changes, especially for automatic pass list protection so the WAN IP does not get blocked. That's the purpose of the FreeBSD routing message subscription code I mentioned earlier -- to let the IPS know when the WAN IP changes so it can update its internal automatic pass list.

      I think your issue might be slightly different. A PPPoE interface is a virtual interface that is created on top of a physical interface (in your case that is ng0). Did the change confuse just Snort, or did you lose Internet connectivity until you restarted the interface on pfSense?

      F 1 Reply Last reply Mar 31, 2020, 2:48 PM Reply Quote 0
      • F
        fireodo @bmeeks
        last edited by Mar 31, 2020, 2:48 PM

        @bmeeks said in Snort not restart on interface:

        I have struggled mightily to try and keep Snort and Suricata cognizant of WAN IP changes, especially for automatic pass list protection so the WAN IP does not get blocked. That's the purpose of the FreeBSD routing message subscription code I mentioned earlier -- to let the IPS know when the WAN IP changes so it can update its internal automatic pass list.

        I think your issue might be slightly different. A PPPoE interface is a virtual interface that is created on top of a physical interface (in your case that is ng0). Did the change confuse just Snort, or did you lose Internet connectivity until you restarted the interface on pfSense?

        Its only Snort. After this special disconnection occurs and it reconnects i have Internet connectivity and all other things work as expected (that why I saw the Snort-Problem only after a while) - even Snort is not dying and when I restart snort on wan it works flawless!

        Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
        SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
        pfsense 2.7.2 CE
        Packages: Apcupsd Cron Iftop Iperf LCDproc Nmap pfBlockerNG RRD_Summary Shellcmd Snort Speedtest System_Patches.

        B 1 Reply Last reply Mar 31, 2020, 2:51 PM Reply Quote 0
        • B
          bmeeks @fireodo
          last edited by Mar 31, 2020, 2:51 PM

          @fireodo:
          So Snort is not stopping, it just stops giving alerts?

          If that is the case, then it is going to be related to the pppoe0 virtual interface in some manner. And further, it may be libpcap that is "losing" the interface because it does not see the change. I am not familiar with the internals of the libpcap library.

          F 1 Reply Last reply Mar 31, 2020, 2:53 PM Reply Quote 0
          • F
            fireodo @bmeeks
            last edited by fireodo Mar 31, 2020, 2:59 PM Mar 31, 2020, 2:53 PM

            @bmeeks said in Snort not restart on interface:

            @fireodo:
            So Snort is not stopping, it just stops giving alerts?

            If that is the case, then it is going to be related to the pppoe0 virtual interface in some manner. And further, it may be libpcap that is "losing" the interface because it does not see the change. I am not familiar with the internals of the libpcap library.

            Yes it stop giving alerts and I see in the last alert given, that the alert refers to the previous IP!

            This is normal in dmesg:
            pppoe0: promiscuous mode disabled # before pppoe reconnection snort shutdown
            ng0: changing name to 'pppoe0' # pppoe reconnection and up
            pppoe0: promiscuous mode enabled # after pppoe reconnection snort restart

            In the special disconnection case the middle line is missing.

            Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
            SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
            pfsense 2.7.2 CE
            Packages: Apcupsd Cron Iftop Iperf LCDproc Nmap pfBlockerNG RRD_Summary Shellcmd Snort Speedtest System_Patches.

            B 1 Reply Last reply Mar 31, 2020, 3:20 PM Reply Quote 0
            • B
              bmeeks @fireodo
              last edited by bmeeks Mar 31, 2020, 3:23 PM Mar 31, 2020, 3:20 PM

              @fireodo said in Snort not restart on interface:

              @bmeeks said in Snort not restart on interface:

              @fireodo:
              So Snort is not stopping, it just stops giving alerts?

              If that is the case, then it is going to be related to the pppoe0 virtual interface in some manner. And further, it may be libpcap that is "losing" the interface because it does not see the change. I am not familiar with the internals of the libpcap library.

              Yes it stop giving alerts and I see in the last alert given, that the alert refers to the previous IP!

              This is normal in dmesg:
              pppoe0: promiscuous mode disabled # before pppoe reconnection snort shutdown
              ng0: changing name to 'pppoe0' # pppoe reconnection and up
              pppoe0: promiscuous mode enabled # after pppoe reconnection snort restart

              In the special disconnection case the middle line is missing.

              Yes, that could be a problem either in FreeBSD with the plumbing of PPPoE interfaces, or it could be an issue inside the libpcap library. I'm kind of leaning towards libpcap, but that's just a hunch.

              Is the IP change triggering Snort to restart? It should because pfSense has (or had) an internal process that restarted packages when IP addresses changed. If Snort restarts, then it surely should see the new IP. The pfSense package restart script simply executes a shell script provided by each installed package. The Snort shell script is /usr/local/etc/rc.d/snort.sh. That script should be called with "restart" or else "stop, start" as arguments. So you should see system log entries from that shell script showing it shutting down Snort and starting it up again.

              Seeing a copy of your system log while this interruption is happening would be helpful.

              F 1 Reply Last reply Mar 31, 2020, 3:54 PM Reply Quote 0
              • F
                fireodo @bmeeks
                last edited by Mar 31, 2020, 3:54 PM

                @bmeeks said in Snort not restart on interface:

                @fireodo said in Snort not restart on interface:

                @bmeeks said in Snort not restart on interface:

                @fireodo:
                So Snort is not stopping, it just stops giving alerts?

                If that is the case, then it is going to be related to the pppoe0 virtual interface in some manner. And further, it may be libpcap that is "losing" the interface because it does not see the change. I am not familiar with the internals of the libpcap library.

                Yes it stop giving alerts and I see in the last alert given, that the alert refers to the previous IP!

                This is normal in dmesg:
                pppoe0: promiscuous mode disabled # before pppoe reconnection snort shutdown
                ng0: changing name to 'pppoe0' # pppoe reconnection and up
                pppoe0: promiscuous mode enabled # after pppoe reconnection snort restart

                In the special disconnection case the middle line is missing.

                Yes, that could be a problem either in FreeBSD with the plumbing of PPPoE interfaces, or it could be an issue inside the libpcap library. I'm kind of leaning towards libpcap, but that's just a hunch.

                Is the IP change triggering Snort to restart? It should because pfSense has (or had) an internal process that restarted packages when IP addresses changed. If Snort restarts, then it surely should see the new IP. The pfSense package restart script simply executes a shell script provided by each installed package. The Snort shell script is /usr/local/etc/rc.d/snort.sh. That script should be called with "restart" or else "stop, start" as arguments. So you should see system log entries from that shell script showing it shutting down Snort and starting it up again.

                Seeing a copy of your system log while this interruption is happening would be helpful.

                I would like to send you that logfile private - how can I do that?

                Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
                SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
                pfsense 2.7.2 CE
                Packages: Apcupsd Cron Iftop Iperf LCDproc Nmap pfBlockerNG RRD_Summary Shellcmd Snort Speedtest System_Patches.

                B 1 Reply Last reply Mar 31, 2020, 4:15 PM Reply Quote 0
                • B
                  bmeeks @fireodo
                  last edited by Mar 31, 2020, 4:15 PM

                  @fireodo said in Snort not restart on interface:

                  @bmeeks said in Snort not restart on interface:

                  @fireodo said in Snort not restart on interface:

                  @bmeeks said in Snort not restart on interface:

                  @fireodo:
                  So Snort is not stopping, it just stops giving alerts?

                  If that is the case, then it is going to be related to the pppoe0 virtual interface in some manner. And further, it may be libpcap that is "losing" the interface because it does not see the change. I am not familiar with the internals of the libpcap library.

                  Yes it stop giving alerts and I see in the last alert given, that the alert refers to the previous IP!

                  This is normal in dmesg:
                  pppoe0: promiscuous mode disabled # before pppoe reconnection snort shutdown
                  ng0: changing name to 'pppoe0' # pppoe reconnection and up
                  pppoe0: promiscuous mode enabled # after pppoe reconnection snort restart

                  In the special disconnection case the middle line is missing.

                  Yes, that could be a problem either in FreeBSD with the plumbing of PPPoE interfaces, or it could be an issue inside the libpcap library. I'm kind of leaning towards libpcap, but that's just a hunch.

                  Is the IP change triggering Snort to restart? It should because pfSense has (or had) an internal process that restarted packages when IP addresses changed. If Snort restarts, then it surely should see the new IP. The pfSense package restart script simply executes a shell script provided by each installed package. The Snort shell script is /usr/local/etc/rc.d/snort.sh. That script should be called with "restart" or else "stop, start" as arguments. So you should see system log entries from that shell script showing it shutting down Snort and starting it up again.

                  Seeing a copy of your system log while this interruption is happening would be helpful.

                  I would like to send you that logfile private - how can I do that?

                  All I need to see are the handful of lines related to Snort being restarted. There is no private information in those entries. Just snip out or otherwise copy and paste the relevant lines into a post here. To keep from getting overwhelmed from users around the world, I don't do any one-on-one troubleshooting with users. I like to keep all the interractions public so the entire user community can see issues and benefit from also seeing the eventual solutions.

                  F 1 Reply Last reply Mar 31, 2020, 4:27 PM Reply Quote 0
                  • F
                    fireodo @bmeeks
                    last edited by Mar 31, 2020, 4:27 PM

                    @bmeeks said in Snort not restart on interface:

                    @fireodo said in Snort not restart on interface:

                    @bmeeks said in Snort not restart on interface:

                    @fireodo said in Snort not restart on interface:

                    @bmeeks said in Snort not restart on interface:

                    @fireodo:
                    So Snort is not stopping, it just stops giving alerts?

                    If that is the case, then it is going to be related to the pppoe0 virtual interface in some manner. And further, it may be libpcap that is "losing" the interface because it does not see the change. I am not familiar with the internals of the libpcap library.

                    Yes it stop giving alerts and I see in the last alert given, that the alert refers to the previous IP!

                    This is normal in dmesg:
                    pppoe0: promiscuous mode disabled # before pppoe reconnection snort shutdown
                    ng0: changing name to 'pppoe0' # pppoe reconnection and up
                    pppoe0: promiscuous mode enabled # after pppoe reconnection snort restart

                    In the special disconnection case the middle line is missing.

                    Yes, that could be a problem either in FreeBSD with the plumbing of PPPoE interfaces, or it could be an issue inside the libpcap library. I'm kind of leaning towards libpcap, but that's just a hunch.

                    Is the IP change triggering Snort to restart? It should because pfSense has (or had) an internal process that restarted packages when IP addresses changed. If Snort restarts, then it surely should see the new IP. The pfSense package restart script simply executes a shell script provided by each installed package. The Snort shell script is /usr/local/etc/rc.d/snort.sh. That script should be called with "restart" or else "stop, start" as arguments. So you should see system log entries from that shell script showing it shutting down Snort and starting it up again.

                    Seeing a copy of your system log while this interruption is happening would be helpful.

                    I would like to send you that logfile private - how can I do that?

                    All I need to see are the handful of lines related to Snort being restarted. There is no private information in those entries. Just snip out or otherwise copy and paste the relevant lines into a post here. To keep from getting overwhelmed from users around the world, I don't do any one-on-one troubleshooting with users. I like to keep all the interractions public so the entire user community can see issues and benefit from also seeing the eventual solutions.

                    Is this sufficient: clog /var/log/system.log | grep snort ?

                    Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
                    SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
                    pfsense 2.7.2 CE
                    Packages: Apcupsd Cron Iftop Iperf LCDproc Nmap pfBlockerNG RRD_Summary Shellcmd Snort Speedtest System_Patches.

                    B 1 Reply Last reply Mar 31, 2020, 4:27 PM Reply Quote 0
                    • B
                      bmeeks @fireodo
                      last edited by Mar 31, 2020, 4:27 PM

                      @fireodo said in Snort not restart on interface:

                      @bmeeks said in Snort not restart on interface:

                      @fireodo said in Snort not restart on interface:

                      @bmeeks said in Snort not restart on interface:

                      @fireodo said in Snort not restart on interface:

                      @bmeeks said in Snort not restart on interface:

                      @fireodo:
                      So Snort is not stopping, it just stops giving alerts?

                      If that is the case, then it is going to be related to the pppoe0 virtual interface in some manner. And further, it may be libpcap that is "losing" the interface because it does not see the change. I am not familiar with the internals of the libpcap library.

                      Yes it stop giving alerts and I see in the last alert given, that the alert refers to the previous IP!

                      This is normal in dmesg:
                      pppoe0: promiscuous mode disabled # before pppoe reconnection snort shutdown
                      ng0: changing name to 'pppoe0' # pppoe reconnection and up
                      pppoe0: promiscuous mode enabled # after pppoe reconnection snort restart

                      In the special disconnection case the middle line is missing.

                      Yes, that could be a problem either in FreeBSD with the plumbing of PPPoE interfaces, or it could be an issue inside the libpcap library. I'm kind of leaning towards libpcap, but that's just a hunch.

                      Is the IP change triggering Snort to restart? It should because pfSense has (or had) an internal process that restarted packages when IP addresses changed. If Snort restarts, then it surely should see the new IP. The pfSense package restart script simply executes a shell script provided by each installed package. The Snort shell script is /usr/local/etc/rc.d/snort.sh. That script should be called with "restart" or else "stop, start" as arguments. So you should see system log entries from that shell script showing it shutting down Snort and starting it up again.

                      Seeing a copy of your system log while this interruption is happening would be helpful.

                      I would like to send you that logfile private - how can I do that?

                      All I need to see are the handful of lines related to Snort being restarted. There is no private information in those entries. Just snip out or otherwise copy and paste the relevant lines into a post here. To keep from getting overwhelmed from users around the world, I don't do any one-on-one troubleshooting with users. I like to keep all the interractions public so the entire user community can see issues and benefit from also seeing the eventual solutions.

                      Is this sufficient: clog /var/log/system.log | grep snort ?

                      Yes, that should do it.

                      F 1 Reply Last reply Mar 31, 2020, 4:30 PM Reply Quote 0
                      • F
                        fireodo @bmeeks
                        last edited by fireodo Mar 31, 2020, 4:40 PM Mar 31, 2020, 4:30 PM

                        @bmeeks said in Snort not restart on interface:

                        @fireodo said in Snort not restart on interface:

                        @bmeeks said in Snort not restart on interface:

                        @fireodo said in Snort not restart on interface:

                        @bmeeks said in Snort not restart on interface:

                        @fireodo said in Snort not restart on interface:

                        @bmeeks said in Snort not restart on interface:

                        @fireodo:
                        So Snort is not stopping, it just stops giving alerts?

                        If that is the case, then it is going to be related to the pppoe0 virtual interface in some manner. And further, it may be libpcap that is "losing" the interface because it does not see the change. I am not familiar with the internals of the libpcap library.

                        Yes it stop giving alerts and I see in the last alert given, that the alert refers to the previous IP!

                        This is normal in dmesg:
                        pppoe0: promiscuous mode disabled # before pppoe reconnection snort shutdown
                        ng0: changing name to 'pppoe0' # pppoe reconnection and up
                        pppoe0: promiscuous mode enabled # after pppoe reconnection snort restart

                        In the special disconnection case the middle line is missing.

                        Yes, that could be a problem either in FreeBSD with the plumbing of PPPoE interfaces, or it could be an issue inside the libpcap library. I'm kind of leaning towards libpcap, but that's just a hunch.

                        Is the IP change triggering Snort to restart? It should because pfSense has (or had) an internal process that restarted packages when IP addresses changed. If Snort restarts, then it surely should see the new IP. The pfSense package restart script simply executes a shell script provided by each installed package. The Snort shell script is /usr/local/etc/rc.d/snort.sh. That script should be called with "restart" or else "stop, start" as arguments. So you should see system log entries from that shell script showing it shutting down Snort and starting it up again.

                        Seeing a copy of your system log while this interruption is happening would be helpful.

                        I would like to send you that logfile private - how can I do that?

                        All I need to see are the handful of lines related to Snort being restarted. There is no private information in those entries. Just snip out or otherwise copy and paste the relevant lines into a post here. To keep from getting overwhelmed from users around the world, I don't do any one-on-one troubleshooting with users. I like to keep all the interractions public so the entire user community can see issues and benefit from also seeing the eventual solutions.

                        Is this sufficient: clog /var/log/system.log | grep snort ?

                        Yes, that should do it.

                        Mar 29 03:10:01 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0.
Mar 29 03:10:01 aragorn snort[78243]: spo_pf -> deleted address xxx.x30.101.206 from automatic IP Pass List.
Mar 29 03:10:05 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0.
Mar 29 03:10:05 aragorn snort[78243]: spo_pf -> deleted address fe80::20d:b9ff:fe46:725c from automatic IP Pass List.
Mar 29 03:10:07 aragorn snort[78243]: Can't acquire (-1) - The interface disappeared!
Mar 29 03:10:08 aragorn snort[78243]: ===============================================================================
Mar 29 03:10:08 aragorn snort[78243]: Packet I/O Totals:
Mar 29 03:10:08 aragorn snort[78243]:    Received:       931413
Mar 29 03:10:08 aragorn snort[78243]:    Analyzed:       931444 (100.003%)
Mar 29 03:10:08 aragorn snort[78243]:     Dropped:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:    Filtered:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]: Outstanding:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:    Injected:            0
Mar 29 03:10:08 aragorn snort[78243]: ===============================================================================
Mar 29 03:10:08 aragorn snort[78243]: Breakdown by protocol (includes rebuilt packets):
Mar 29 03:10:08 aragorn snort[78243]:         Eth:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:        VLAN:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:         IP4:       932253 (100.000%)
Mar 29 03:10:08 aragorn snort[78243]:        Frag:            4 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:        ICMP:       129701 ( 13.913%)
Mar 29 03:10:08 aragorn snort[78243]:         UDP:       130579 ( 14.007%)
Mar 29 03:10:08 aragorn snort[78243]:         TCP:       671916 ( 72.074%)
Mar 29 03:10:08 aragorn snort[78243]:         IP6:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:     IP6 Ext:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:    IP6 Opts:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:       Frag6:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:       ICMP6:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:        UDP6:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:        TCP6:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:      Teredo:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:     ICMP-IP:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:     IP4/IP4:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:     IP4/IP6:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:     IP6/IP4:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:     IP6/IP6:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:         GRE:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:     GRE Eth:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:    GRE VLAN:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:     GRE IP4:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:     GRE IP6:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]: GRE IP6 Ext:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:    GRE PPTP:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:     GRE ARP:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:     GRE IPX:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:    GRE Loop:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:        MPLS:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:         ARP:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:         IPX:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:    Eth Loop:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:    Eth Disc:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:    IP4 Disc:           55 (  0.006%)
Mar 29 03:10:08 aragorn snort[78243]:    IP6 Disc:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:    TCP Disc:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:    UDP Disc:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:   ICMP Disc:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]: All Discard:           55 (  0.006%)
Mar 29 03:10:08 aragorn snort[78243]:       Other:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]: Bad Chk Sum:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:     Bad TTL:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:      S5 G 1:          353 (  0.038%)
Mar 29 03:10:08 aragorn snort[78243]:      S5 G 2:          454 (  0.049%)
Mar 29 03:10:08 aragorn snort[78243]:       Total:       932253
Mar 29 03:10:08 aragorn snort[78243]: ===============================================================================
Mar 29 03:10:08 aragorn snort[78243]: Action Stats:
Mar 29 03:10:08 aragorn snort[78243]:      Alerts:          396 (  0.042%)
Mar 29 03:10:08 aragorn snort[78243]:      Logged:          396 (  0.042%)
Mar 29 03:10:08 aragorn snort[78243]:      Passed:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]: Limits:
Mar 29 03:10:08 aragorn snort[78243]:       Match:            0
Mar 29 03:10:08 aragorn snort[78243]:       Queue:            0
Mar 29 03:10:08 aragorn snort[78243]:         Log:            1
Mar 29 03:10:08 aragorn snort[78243]:       Event:          216
Mar 29 03:10:08 aragorn snort[78243]:       Alert:            0
Mar 29 03:10:08 aragorn snort[78243]: Verdicts:
Mar 29 03:10:08 aragorn snort[78243]:       Allow:       432908 ( 46.479%)
Mar 29 03:10:08 aragorn snort[78243]:       Block:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:     Replace:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:   Whitelist:       498536 ( 53.525%)
Mar 29 03:10:08 aragorn snort[78243]:   Blacklist:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:      Ignore:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]:       Retry:            0 (  0.000%)
Mar 29 03:10:08 aragorn snort[78243]: ===============================================================================
Mar 29 03:10:08 aragorn snort[78243]: Frag3 statistics:
Mar 29 03:10:08 aragorn snort[78243]:         Total Fragments: 4
Mar 29 03:10:08 aragorn snort[78243]:       Frags Reassembled: 2
Mar 29 03:10:08 aragorn snort[78243]:                Discards: 0
Mar 29 03:10:08 aragorn snort[78243]:           Memory Faults: 0
Mar 29 03:10:08 aragorn snort[78243]:                Timeouts: 0
Mar 29 03:10:08 aragorn snort[78243]:                Overlaps: 0
Mar 29 03:10:08 aragorn snort[78243]:               Anomalies: 0
Mar 29 03:10:08 aragorn snort[78243]:                  Alerts: 0
Mar 29 03:10:08 aragorn snort[78243]:                   Drops: 0
Mar 29 03:10:08 aragorn snort[78243]:      FragTrackers Added: 2
Mar 29 03:10:08 aragorn snort[78243]:     FragTrackers Dumped: 2
Mar 29 03:10:08 aragorn snort[78243]: FragTrackers Auto Freed: 0
Mar 29 03:10:08 aragorn snort[78243]:     Frag Nodes Inserted: 4
Mar 29 03:10:08 aragorn snort[78243]:      Frag Nodes Deleted: 4
Mar 29 03:10:08 aragorn snort[78243]: ===============================================================================
Mar 29 03:10:08 aragorn snort[78243]: ===============================================================================
Mar 29 03:10:08 aragorn snort[78243]: Stream statistics:
Mar 29 03:10:08 aragorn snort[78243]:             Total sessions: 15253
Mar 29 03:10:08 aragorn snort[78243]:               TCP sessions: 12791
Mar 29 03:10:08 aragorn snort[78243]:               UDP sessions: 2462
Mar 29 03:10:08 aragorn snort[78243]:              ICMP sessions: 0
Mar 29 03:10:08 aragorn snort[78243]:                IP sessions: 0
Mar 29 03:10:08 aragorn snort[78243]:                 TCP Prunes: 0
Mar 29 03:10:08 aragorn snort[78243]:                 UDP Prunes: 0
Mar 29 03:10:08 aragorn snort[78243]:                ICMP Prunes: 0
Mar 29 03:10:08 aragorn snort[78243]:                  IP Prunes: 0
Mar 29 03:10:08 aragorn snort[78243]: TCP StreamTrackers Created: 12791
Mar 29 03:10:08 aragorn snort[78243]: TCP StreamTrackers Deleted: 12791
Mar 29 03:10:08 aragorn snort[78243]:               TCP Timeouts: 0
Mar 29 03:10:08 aragorn snort[78243]:               TCP Overlaps: 0
Mar 29 03:10:08 aragorn snort[78243]:        TCP Segments Queued: 38227
Mar 29 03:10:08 aragorn snort[78243]:      TCP Segments Released: 38227
Mar 29 03:10:08 aragorn snort[78243]:        TCP Rebuilt Packets: 20872
Mar 29 03:10:08 aragorn snort[78243]:          TCP Segments Used: 30138
Mar 29 03:10:08 aragorn snort[78243]:               TCP Discards: 3388
Mar 29 03:10:08 aragorn snort[78243]:                   TCP Gaps: 546
Mar 29 03:10:08 aragorn snort[78243]:       UDP Sessions Created: 2462
Mar 29 03:10:08 aragorn snort[78243]:       UDP Sessions Deleted: 2462
Mar 29 03:10:08 aragorn snort[78243]:               UDP Timeouts: 0
Mar 29 03:10:08 aragorn snort[78243]:               UDP Discards: 0
Mar 29 03:10:08 aragorn snort[78243]:                     Events: 0
Mar 29 03:10:08 aragorn snort[78243]:            Internal Events: 0
Mar 29 03:10:08 aragorn snort[78243]:            TCP Port Filter
Mar 29 03:10:08 aragorn snort[78243]:                   Filtered: 0
Mar 29 03:10:08 aragorn snort[78243]:                  Inspected: 0
Mar 29 03:10:08 aragorn snort[78243]:                    Tracked: 671109
Mar 29 03:10:08 aragorn snort[78243]:            UDP Port Filter
Mar 29 03:10:08 aragorn snort[78243]:                   Filtered: 0
Mar 29 03:10:08 aragorn snort[78243]:                  Inspected: 0
Mar 29 03:10:08 aragorn snort[78243]:                    Tracked: 2462
Mar 29 03:10:08 aragorn snort[78243]: ===============================================================================
Mar 29 03:10:08 aragorn snort[78243]: HTTP Inspect - encodings (Note: stream-reassembled packets included):
Mar 29 03:10:08 aragorn snort[78243]:     POST methods:                         67        
Mar 29 03:10:08 aragorn snort[78243]:     GET methods:                          2919      
Mar 29 03:10:08 aragorn snort[78243]:     HTTP Request Headers extracted:       2989      
Mar 29 03:10:08 aragorn snort[78243]:     HTTP Request Cookies extracted:       20        
Mar 29 03:10:08 aragorn snort[78243]:     Post parameters extracted:            65        
Mar 29 03:10:08 aragorn snort[78243]:     HTTP response Headers extracted:      2987      
Mar 29 03:10:08 aragorn snort[78243]:     HTTP Response Cookies extracted:      15        
Mar 29 03:10:08 aragorn snort[78243]:     Unicode:                              0         
Mar 29 03:10:08 aragorn snort[78243]:     Double unicode:                       0         
Mar 29 03:10:08 aragorn snort[78243]:     Non-ASCII representable:              0         
Mar 29 03:10:08 aragorn snort[78243]:     Directory traversals:                 0         
Mar 29 03:10:08 aragorn snort[78243]:     Extra slashes ("//"):                 1954      
Mar 29 03:10:08 aragorn snort[78243]:     Self-referencing paths ("./"):        0         
Mar 29 03:10:08 aragorn snort[78243]:     HTTP Response Gzip packets extracted: 38        
Mar 29 03:10:08 aragorn snort[78243]:     Gzip Compressed Data Processed:       112157.00 
Mar 29 03:10:08 aragorn snort[78243]:     Gzip Decompressed Data Processed:     494809.00 
Mar 29 03:10:08 aragorn snort[78243]:     Http/2 Rebuilt Packets:               0         
Mar 29 03:10:08 aragorn snort[78243]:     Total packets processed:              15389     
Mar 29 03:10:08 aragorn snort[78243]: ===============================================================================
Mar 29 03:10:08 aragorn snort[78243]: SSL Preprocessor:
Mar 29 03:10:08 aragorn snort[78243]:    SSL packets decoded: 43688     
Mar 29 03:10:08 aragorn snort[78243]:           Client Hello: 3513      
Mar 29 03:10:08 aragorn snort[78243]:           Server Hello: 3468      
Mar 29 03:10:08 aragorn snort[78243]:            Certificate: 2276      
Mar 29 03:10:08 aragorn snort[78243]:            Server Done: 6820      
Mar 29 03:10:08 aragorn snort[78243]:    Client Key Exchange: 2166      
Mar 29 03:10:08 aragorn snort[78243]:    Server Key Exchange: 1942      
Mar 29 03:10:08 aragorn snort[78243]:          Change Cipher: 6073      
Mar 29 03:10:08 aragorn snort[78243]:               Finished: 0         
Mar 29 03:10:08 aragorn snort[78243]:     Client Application: 9752      
Mar 29 03:10:08 aragorn snort[78243]:     Server Application: 7820      
Mar 29 03:10:08 aragorn snort[78243]:                  Alert: 788       
Mar 29 03:10:08 aragorn snort[78243]:   Unrecognized records: 15469     
Mar 29 03:10:08 aragorn snort[78243]:   Completed handshakes: 0         
Mar 29 03:10:08 aragorn snort[78243]:         Bad handshakes: 0         
Mar 29 03:10:08 aragorn snort[78243]:       Sessions ignored: 6374      
Mar 29 03:10:08 aragorn snort[78243]:     Detection disabled: 1043      
Mar 29 03:10:08 aragorn snort[78243]: ===============================================================================
Mar 29 03:10:08 aragorn snort[78243]: SIP Preprocessor Statistics
Mar 29 03:10:08 aragorn snort[78243]:   Total sessions: 37
Mar 29 03:10:08 aragorn snort[78243]:   SIP anomalies : 1
Mar 29 03:10:08 aragorn snort[78243]:   Total  dialogs: 39
Mar 29 03:10:08 aragorn snort[78243]:   Requests: 771
Mar 29 03:10:08 aragorn snort[78243]:           invite:   4
Mar 29 03:10:08 aragorn snort[78243]:           cancel:   1
Mar 29 03:10:08 aragorn snort[78243]:              ack:   2
Mar 29 03:10:08 aragorn snort[78243]:              bye:   1
Mar 29 03:10:08 aragorn snort[78243]:         register:   736
Mar 29 03:10:08 aragorn snort[78243]:          options:   27
Mar 29 03:10:08 aragorn snort[78243]:            refer:   0
Mar 29 03:10:08 aragorn snort[78243]:        subscribe:   0
Mar 29 03:10:08 aragorn snort[78243]:           update:   0
Mar 29 03:10:08 aragorn snort[78243]:             join:   0
Mar 29 03:10:08 aragorn snort[78243]:             info:   0
Mar 29 03:10:08 aragorn snort[78243]:          message:   0
Mar 29 03:10:08 aragorn snort[78243]:           notify:   0
Mar 29 03:10:08 aragorn snort[78243]:            prack:   0
Mar 29 03:10:08 aragorn snort[78243]:   Responses: 744
Mar 29 03:10:08 aragorn snort[78243]:              1xx:   4
Mar 29 03:10:08 aragorn snort[78243]:              2xx:   605
Mar 29 03:10:08 aragorn snort[78243]:              3xx:   0
Mar 29 03:10:08 aragorn snort[78243]:              4xx:   135
Mar 29 03:10:08 aragorn snort[78243]:              5xx:   0
Mar 29 03:10:08 aragorn snort[78243]:              6xx:   0
Mar 29 03:10:08 aragorn snort[78243]:              7xx:   0
Mar 29 03:10:08 aragorn snort[78243]:              8xx:   0
Mar 29 03:10:08 aragorn snort[78243]:              9xx:   0
Mar 29 03:10:08 aragorn snort[78243]:  Ignore sessions:   0
Mar 29 03:10:08 aragorn snort[78243]:  Ignore channels:   0
Mar 29 03:10:08 aragorn snort[78243]: ===============================================================================
Mar 29 03:10:08 aragorn snort[78243]: dcerpc2 Preprocessor Statistics
Mar 29 03:10:08 aragorn snort[78243]:   Total sessions: 0
Mar 29 03:10:08 aragorn snort[78243]: ===============================================================================
Mar 29 03:10:08 aragorn snort[78243]: +-----------------------[filtered events]--------------------------------------
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403336    type=Limit     tracking=src count=1   seconds=3600 filtered=1
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403300    type=Limit     tracking=src count=1   seconds=3600 filtered=1
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403420    type=Limit     tracking=src count=1   seconds=3600 filtered=1
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403306    type=Limit     tracking=src count=1   seconds=3600 filtered=1
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403462    type=Limit     tracking=src count=1   seconds=3600 filtered=2
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403470    type=Limit     tracking=src count=1   seconds=3600 filtered=15
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403428    type=Limit     tracking=src count=1   seconds=3600 filtered=4
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403478    type=Limit     tracking=src count=1   seconds=3600 filtered=6
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403452    type=Limit     tracking=src count=1   seconds=3600 filtered=18
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403444    type=Limit     tracking=src count=1   seconds=3600 filtered=11
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403348    type=Limit     tracking=src count=1   seconds=3600 filtered=1
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403372    type=Limit     tracking=src count=1   seconds=3600 filtered=3
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403352    type=Limit     tracking=src count=1   seconds=3600 filtered=18
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2017919    type=Both      tracking=dst count=2   seconds=60  filtered=1
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403434    type=Limit     tracking=src count=1   seconds=3600 filtered=10
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2402000    type=Limit     tracking=src count=1   seconds=3600 filtered=118
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403346    type=Limit     tracking=src count=1   seconds=3600 filtered=2
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1      sig-id=2403435    type=Limit     tracking=src count=1   seconds=3600 filtered=2
Mar 29 03:10:08 aragorn snort[78243]: | gen-id=119    sig-id=31         type=Suppress  tracking=none filtered=1
Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0.
Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> added address xxx.x30.108.45 to automatic interface IP Pass List.
Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0.
Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> added address fe80::20d:b9ff:fe46:725c to automatic interface IP Pass List.
Mar 29 03:10:09 aragorn snort[78243]: Snort exiting
Mar 29 06:43:34 aragorn php-fpm[22416]: /snort/snort_interfaces.php: Restarting Snort on DSL(pppoe0) per user request...
Mar 29 06:43:34 aragorn php-fpm[22416]: /snort/snort_interfaces.php: [Snort] Snort STOP for DSL(pppoe0)...
Mar 29 06:43:35 aragorn snort[10517]: *** Caught Term-Signal
Mar 29 06:43:37 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Updating rules configuration for: DSL ...
Mar 29 06:43:45 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Enabling any flowbit-required rules for: DSL...
Mar 29 06:43:46 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Building new sid-msg.map file for DSL...
Mar 29 06:43:48 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Snort START for DSL(pppoe0)...
Mar 29 06:47:50 aragorn snort[14301]: *** Caught Term-Signal
Mar 29 06:48:07 aragorn php: /etc/rc.packages: Beginning package installation for snort .
Mar 29 06:48:07 aragorn php: /etc/rc.packages: [Snort] There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29151.tar.gz...
Mar 29 06:49:39 aragorn php: /etc/rc.packages: Successfully installed package: snort.
Mar 29 06:49:39 aragorn pkg-static: pfSense-pkg-snort reinstalled: 3.2.9.10_2 -> 3.2.9.10_2 
Mar 29 09:58:33 aragorn php-fpm[7022]: /snort/snort_interfaces.php: Restarting Snort on DSL(pppoe0) per user request...
Mar 29 09:58:33 aragorn php-fpm[7022]: /snort/snort_interfaces.php: [Snort] Snort STOP for DSL(pppoe0)...
Mar 29 09:58:34 aragorn snort[4949]: *** Caught Term-Signal
Mar 29 09:58:36 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Updating rules configuration for: DSL ...
Mar 29 09:58:44 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Enabling any flowbit-required rules for: DSL...
Mar 29 09:58:45 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Building new sid-msg.map file for DSL...
Mar 29 09:58:47 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Snort START for DSL(pppoe0)...
Mar 30 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort Subscriber rules are up to date...
Mar 30 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date...
Mar 30 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled.  Removing obsoleted rules categories.
Mar 30 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Removed 0 obsoleted rules category files.
Mar 30 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Mar 30 16:39:59 aragorn php-fpm[17783]: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: DSL ...
Mar 30 16:40:07 aragorn php-fpm[17783]: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: DSL...
Mar 30 16:40:07 aragorn php-fpm[17783]: /snort/snort_preprocessors.php: [Snort] Building new sid-msg.map file for DSL...
Mar 31 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort Subscriber rules are up to date...
Mar 31 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date...
Mar 31 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled.  Removing obsoleted rules categories.
Mar 31 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Removed 0 obsoleted rules category files.
Mar 31 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.

                        Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
                        SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
                        pfsense 2.7.2 CE
                        Packages: Apcupsd Cron Iftop Iperf LCDproc Nmap pfBlockerNG RRD_Summary Shellcmd Snort Speedtest System_Patches.

                        1 Reply Last reply Reply Quote 0
                        • B
                          bmeeks
                          last edited by bmeeks Mar 31, 2020, 5:18 PM Mar 31, 2020, 5:15 PM

                          That log snippet was helpful. It is as I suspected. Snort and libpcap can't find the pppoe0 interface after the PPoE connection cycles. I see the logged messages from that internal routine I mentioned that is monitoring the FreeBSD routing messages. Snort detects that the WAN IP has changed, so the automatic pass list will adjust. However, then something happens to the original pppoe0 instance such that libpcap can no longer see it.

                          Might be this is a timing issue. Maybe this is a timing issue with the way FreeBSD is adjusting to the modem losing sync and re-establishing the connection ???

                          These are the key lines from your logs --

                          Mar 29 03:10:01 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0.
Mar 29 03:10:01 aragorn snort[78243]: spo_pf -> deleted address xxx.x30.101.206 from automatic IP Pass List.
Mar 29 03:10:05 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0.
Mar 29 03:10:05 aragorn snort[78243]: spo_pf -> deleted address fe80::20d:b9ff:fe46:725c from automatic IP Pass List.
Mar 29 03:10:07 aragorn snort[78243]: Can't acquire (-1) - The interface disappeared!

                          See how it loses the ability to see the pppoe0 interface.

                          These entries a little farther down are a bit curious, though --

                          Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0.
Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> added address xxx.x30.108.45 to automatic interface IP Pass List.
Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0.
Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> added address fe80::20d:b9ff:fe46:725c to automatic interface IP Pass List.
Mar 29 03:10:09 aragorn snort[78243]: Snort exiting

                          The timing seems off. What made Snort exit ad 03:10:09? Was that manual intervention by you, or did some script restart Snort?

                          F 1 Reply Last reply Mar 31, 2020, 5:23 PM Reply Quote 0
                          • F
                            fireodo @bmeeks
                            last edited by Mar 31, 2020, 5:23 PM

                            @bmeeks said in Snort not restart on interface:

                            That log snippet was helpful. It is as I suspected. Snort and libpcap can't find the pppoe0 interface after the PPoE connection cycles. I see the logged messages from that internal routine I mentioned that is monitoring the FreeBSD routing messages. Snort detects that the WAN IP has changed, so the automatic pass list will adjust. However, then something happens to the original pppoe0 instance such that libpcap can no longer see it.

                            Might be this is a timing issue. Maybe this is a timing issue with the way FreeBSD is adjusting to the modem losing sync and re-establishing the connection ???

                            These are the key lines from your logs --

                            Mar 29 03:10:01 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0.
Mar 29 03:10:01 aragorn snort[78243]: spo_pf -> deleted address xxx.x30.101.206 from automatic IP Pass List.
Mar 29 03:10:05 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0.
Mar 29 03:10:05 aragorn snort[78243]: spo_pf -> deleted address fe80::20d:b9ff:fe46:725c from automatic IP Pass List.
Mar 29 03:10:07 aragorn snort[78243]: Can't acquire (-1) - The interface disappeared!

                            See how it loses the ability to see the pppoe0 interface.

                            These entries a little farther down are a bit curious, though --

                            Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0.
Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> added address xxx.x30.108.45 to automatic interface IP Pass List.
Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0.
Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> added address fe80::20d:b9ff:fe46:725c to automatic interface IP Pass List.
Mar 29 03:10:09 aragorn snort[78243]: Snort exiting

                            The timing seems off. What made Snort exit ad 03:10:09? Was that manual intervention by you, or did some script restart Snort?

                            At 03:10 this was a regular pppoe restart initiated by cron.

                            Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
                            SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
                            pfsense 2.7.2 CE
                            Packages: Apcupsd Cron Iftop Iperf LCDproc Nmap pfBlockerNG RRD_Summary Shellcmd Snort Speedtest System_Patches.

                            1 Reply Last reply Reply Quote 0
                            • B
                              bmeeks
                              last edited by bmeeks Mar 31, 2020, 5:29 PM Mar 31, 2020, 5:25 PM

                              Initiated by cron? You have periodic restarts enabled? So if one of these periodic restarts happens to coincide with a loss of sync by your modem and subsequent reset of the pppoe0 connection, then I can see how libpcap and Snort might get confused. For example, during the instant when the cron task is recycling PPPoE, Snort trys to connect to the interface and because the modem just lost sync and FreeBSD is trying to re-establish that interface, it is not available. Thus Snort and libpcap can't find it.

                              Is the cron task something you set up? If so, I would try disabling it for a bit.

                              If your PPPoE connection is so unstable that you need to resort to cron task restarts on some basis, I would go fuss at my ISP and have them fix the underlying issue with your connection.

                              F 1 Reply Last reply Mar 31, 2020, 5:30 PM Reply Quote 0
                              • F
                                fireodo @bmeeks
                                last edited by Mar 31, 2020, 5:30 PM

                                @bmeeks said in Snort not restart on interface:

                                Initiated by cron? You have periodic restarts enabled? So if one of these periodic restarts happens to coincide with a loss of sync by your modem and subsequent reset of the pppoe0 connection, then I can see how libpcap and Snort might get confused. For example, during the instant when the cron task is recycling PPPoE, Snort trys to connect to the interface and because the modem just lost sync and FreeBSD is trying to re-establish that interface, it is not available. Thus Snort and libpcap can't find it.

                                Is the cron task something you set up? If so, I would try disabling it for a bit.

                                Yes this is made by me and this works without problems - unfortunally the clog /var/log/system.log | grep snort doesnt cover the date where the unsync happend - thats why I asked you to send the HOLE syslog but not in public.

                                Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
                                SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
                                pfsense 2.7.2 CE
                                Packages: Apcupsd Cron Iftop Iperf LCDproc Nmap pfBlockerNG RRD_Summary Shellcmd Snort Speedtest System_Patches.

                                B 1 Reply Last reply Mar 31, 2020, 5:32 PM Reply Quote 0
                                • B
                                  bmeeks @fireodo
                                  last edited by bmeeks Mar 31, 2020, 5:33 PM Mar 31, 2020, 5:32 PM

                                  @fireodo said in Snort not restart on interface:

                                  @bmeeks said in Snort not restart on interface:

                                  Initiated by cron? You have periodic restarts enabled? So if one of these periodic restarts happens to coincide with a loss of sync by your modem and subsequent reset of the pppoe0 connection, then I can see how libpcap and Snort might get confused. For example, during the instant when the cron task is recycling PPPoE, Snort trys to connect to the interface and because the modem just lost sync and FreeBSD is trying to re-establish that interface, it is not available. Thus Snort and libpcap can't find it.

                                  Is the cron task something you set up? If so, I would try disabling it for a bit.

                                  Yes this is made by me and this works without problems - unfortunally the clog /var/log/system.log | grep snort doesnt cover the date where the unsync happend - thats why I asked you to send the HOLE syslog but not in public.

                                  See my earlier reply. Your cron job can really confuse Snort if a periodic restart happens to occur at the same time an actual modem "loss of sync" event is being processed by pfSense. That can result in the cron task restarting Snort before the actual pppoe0 interface has been re-established by FreeBSD.

                                  While loss of sync and connection issues are irritating, I think your cron task solution is a band-aid that might in some sense be making things potentially worse. If your connection is unstable, I would approach your Internet provider first instead of creating workarounds on the firewall.

                                  F 1 Reply Last reply Mar 31, 2020, 5:38 PM Reply Quote 0
                                  • F
                                    fireodo @bmeeks
                                    last edited by fireodo Mar 31, 2020, 5:39 PM Mar 31, 2020, 5:38 PM

                                    @bmeeks said in Snort not restart on interface:

                                    @fireodo said in Snort not restart on interface:

                                    @bmeeks said in Snort not restart on interface:

                                    Initiated by cron? You have periodic restarts enabled? So if one of these periodic restarts happens to coincide with a loss of sync by your modem and subsequent reset of the pppoe0 connection, then I can see how libpcap and Snort might get confused. For example, during the instant when the cron task is recycling PPPoE, Snort trys to connect to the interface and because the modem just lost sync and FreeBSD is trying to re-establish that interface, it is not available. Thus Snort and libpcap can't find it.

                                    Is the cron task something you set up? If so, I would try disabling it for a bit.

                                    Yes this is made by me and this works without problems - unfortunally the clog /var/log/system.log | grep snort doesnt cover the date where the unsync happend - thats why I asked you to send the HOLE syslog but not in public.

                                    See my earlier reply. Your cron job can really confuse Snort if a periodic restart happens to occur at the same time an actual modem "loss of sync" event is being processed by pfSense. That can result in the cron task restarting Snort before the actual pppoe0 interface has been re-established by FreeBSD.

                                    While loss of sync and connection issues are irritating, I think your cron task solution is a band-aid that might in some sense be making things potentially worse. If your connection is unstable, I would approach your Internet provider first instead of creating workarounds on the firewall.

                                    No No - the connection is not instable (as I write it was stable about 165 days) This voluntary reconnection daily is for other reasons.

                                    Maybe this helps better: (this is when the resync of the modem occurs)

                                    Mar 29 05:19:49 aragorn ppp: [wan_link0] LCP: no reply to 1 echo request(s)
Mar 29 05:19:55 aragorn php: lcdproc: Connection to LCDd process lost  ()
Mar 29 05:19:55 aragorn php: lcdproc: Start client procedure. Error counter: (0)
Mar 29 05:19:56 aragorn LCDd: Connect from host 127.0.0.1:56929 on socket 6
Mar 29 05:19:56 aragorn LCDd: sock_send: socket write error
Mar 29 05:19:58 aragorn LCDd: sock_send: socket write error
Mar 29 05:19:59 aragorn ppp: [wan_link0] LCP: no reply to 2 echo request(s)
Mar 29 05:20:00 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:02 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:04 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:06 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:08 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:09 aragorn ppp: [wan_link0] LCP: no reply to 3 echo request(s)
Mar 29 05:20:10 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:12 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:14 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:16 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:18 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:19 aragorn ppp: [wan_link0] LCP: no reply to 4 echo request(s)
Mar 29 05:20:20 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:22 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:24 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:26 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:28 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:29 aragorn ppp: [wan_link0] LCP: no reply to 5 echo request(s)
Mar 29 05:20:29 aragorn ppp: [wan_link0] LCP: peer not responding to echo requests
Mar 29 05:20:29 aragorn ppp: [wan_link0] LCP: state change Opened --> Stopping
Mar 29 05:20:29 aragorn ppp: [wan_link0] Link: Leave bundle "wan"
Mar 29 05:20:29 aragorn ppp: [wan] Bundle: Status update: up 0 links, total bandwidth 9600 bps
Mar 29 05:20:29 aragorn ppp: [wan] IPCP: Close event
Mar 29 05:20:29 aragorn ppp: [wan] IPCP: state change Opened --> Closing
Mar 29 05:20:29 aragorn ppp: [wan] IPCP: SendTerminateReq #4
Mar 29 05:20:29 aragorn ppp: [wan] IPCP: LayerDown
Mar 29 05:20:29 aragorn php-cgi: rc.kill_states: rc.kill_states: Removing states for IP 1xxxxxxxxxxxxxxxxxxx/32
Mar 29 05:20:29 aragorn php-cgi: rc.kill_states: rc.kill_states: Removing states for interface pppoe0
Mar 29 05:20:29 aragorn check_reload_status: Rewriting resolv.conf
Mar 29 05:20:30 aragorn LCDd: Client on socket 6 disconnected
Mar 29 05:20:30 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:31 aragorn LCDd: Server shutting down on SIGTERM
Mar 29 05:20:31 aragorn LCDd: sock_send: socket write error
Mar 29 05:20:32 aragorn ppp: [wan] IPV6CP: Close event
Mar 29 05:20:32 aragorn ppp: [wan] IPV6CP: state change Opened --> Closing
Mar 29 05:20:32 aragorn ppp: [wan] IPV6CP: SendTerminateReq #2
Mar 29 05:20:32 aragorn ppp: [wan] IPV6CP: LayerDown
Mar 29 05:20:32 aragorn php-cgi: rc.kill_states: rc.kill_states: Removing states for IP fe80:xxxxxxxxc%pppoe0/32
Mar 29 05:20:32 aragorn php-cgi: rc.kill_states: rc.kill_states: Removing states for interface pppoe0
Mar 29 05:20:33 aragorn check_reload_status: Rewriting resolv.conf
Mar 29 05:20:33 aragorn ppp: [wan] IFACE: Down event
Mar 29 05:20:33 aragorn ppp: [wan] IFACE: Rename interface pppoe0 to pppoe0
Mar 29 05:20:33 aragorn ppp: [wan] IPCP: Down event
Mar 29 05:20:33 aragorn ppp: [wan] IPCP: LayerFinish
Mar 29 05:20:33 aragorn ppp: [wan] IPCP: state change Closing --> Initial
Mar 29 05:20:33 aragorn ppp: [wan] IPV6CP: Down event
Mar 29 05:20:33 aragorn ppp: [wan] IPV6CP: LayerFinish
Mar 29 05:20:33 aragorn ppp: [wan] Bundle: No NCPs left. Closing links...
Mar 29 05:20:33 aragorn ppp: [wan] IPV6CP: state change Closing --> Initial
Mar 29 05:20:33 aragorn ppp: [wan_link0] LCP: SendTerminateReq #2
Mar 29 05:20:33 aragorn ppp: [wan_link0] LCP: LayerDown
Mar 29 05:20:40 aragorn ppp: [wan_link0] LCP: SendTerminateReq #3
Mar 29 05:20:42 aragorn ppp: [wan_link0] LCP: state change Stopping --> Stopped
Mar 29 05:20:42 aragorn ppp: [wan_link0] LCP: LayerFinish
Mar 29 05:20:42 aragorn ppp: [wan_link0] PPPoE: connection closed
Mar 29 05:20:42 aragorn ppp: [wan_link0] Link: DOWN event
Mar 29 05:20:42 aragorn ppp: [wan_link0] LCP: Down event
Mar 29 05:20:42 aragorn ppp: [wan_link0] LCP: state change Stopped --> Starting
Mar 29 05:20:42 aragorn ppp: [wan_link0] LCP: LayerStart
Mar 29 05:20:42 aragorn ppp: [wan_link0] Link: reconnection attempt 1 in 4 seconds
Mar 29 05:20:46 aragorn ppp: [wan_link0] Link: reconnection attempt 1
Mar 29 05:20:46 aragorn ppp: [wan_link0] PPPoE: Connecting to 'provider'
Mar 29 05:20:55 aragorn ppp: [wan_link0] PPPoE connection timeout after 9 seconds
Mar 29 05:20:55 aragorn ppp: [wan_link0] Link: DOWN event
Mar 29 05:20:55 aragorn ppp: [wan_link0] LCP: Down event
Mar 29 05:20:55 aragorn ppp: [wan_link0] Link: reconnection attempt 2 in 1 seconds
Mar 29 05:20:56 aragorn ppp: [wan_link0] Link: reconnection attempt 2
Mar 29 05:20:56 aragorn ppp: [wan_link0] PPPoE: Connecting to 'provider'
Mar 29 05:20:58 aragorn ppp: PPPoE: rec'd ACNAME "XXXXXX"
Mar 29 05:20:58 aragorn ppp: [wan_link0] PPPoE: connection successful
Mar 29 05:20:58 aragorn ppp: [wan_link0] Link: UP event
Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: Up event
Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: state change Starting --> Req-Sent
Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: SendConfigReq #4
Mar 29 05:20:58 aragorn ppp: [wan_link0]   PROTOCOMP
Mar 29 05:20:58 aragorn ppp: [wan_link0]   MRU 1492
Mar 29 05:20:58 aragorn ppp: [wan_link0]   MAGICNUM 0x8202dc20
Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: rec'd Configure Request #152 (Req-Sent)
Mar 29 05:20:58 aragorn ppp: [wan_link0]   MRU 1492
Mar 29 05:20:58 aragorn ppp: [wan_link0]   AUTHPROTO PAP
Mar 29 05:20:58 aragorn ppp: [wan_link0]   MAGICNUM 0x476128d2
Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: SendConfigAck #152
Mar 29 05:20:58 aragorn ppp: [wan_link0]   MRU 1492
Mar 29 05:20:58 aragorn ppp: [wan_link0]   AUTHPROTO PAP
Mar 29 05:20:58 aragorn ppp: [wan_link0]   MAGICNUM 0x476128d2
Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent
Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: rec'd Configure Ack #4 (Ack-Sent)
Mar 29 05:20:58 aragorn ppp: [wan_link0]   PROTOCOMP
Mar 29 05:20:58 aragorn ppp: [wan_link0]   MRU 1492
Mar 29 05:20:58 aragorn ppp: [wan_link0]   MAGICNUM 0x8202dc20
Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing
Mar 29 05:20:58 aragorn ppp: [wan_link0] PAP: using authname "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Mar 29 05:20:58 aragorn ppp: [wan_link0] PAP: sending REQUEST #1 len: 54
Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: LayerUp
Mar 29 05:20:58 aragorn ppp: [wan_link0] PAP: rec'd ACK #1 len: 25
Mar 29 05:20:58 aragorn ppp: [wan_link0]   MESG: SRU=11992#SRD=59961#
Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: authorization successful
Mar 29 05:20:58 aragorn ppp: [wan_link0] Link: Matched action 'bundle "wan" ""'
Mar 29 05:20:58 aragorn ppp: [wan_link0] Link: Join bundle "wan"
Mar 29 05:20:58 aragorn ppp: [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: Open event
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: state change Initial --> Starting
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: LayerStart
Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: Open event
Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: state change Initial --> Starting
Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: LayerStart
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: Up event
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: state change Starting --> Req-Sent
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: SendConfigReq #5
Mar 29 05:20:58 aragorn ppp: [wan]   IPADDR 0.0.0.0
Mar 29 05:20:58 aragorn ppp: [wan]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: Up event
Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: state change Starting --> Req-Sent
Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: SendConfigReq #3
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: rec'd Configure Request #94 (Req-Sent)
Mar 29 05:20:58 aragorn ppp: [wan]   IPADDR provider-gateway-IP
Mar 29 05:20:58 aragorn ppp: [wan]     provider-gateway-IP is OK
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: SendConfigAck #94
Mar 29 05:20:58 aragorn ppp: [wan]   IPADDR provider-gateway-IP
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: state change Req-Sent --> Ack-Sent
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: rec'd Configure Reject #5 (Ack-Sent)
Mar 29 05:20:58 aragorn ppp: [wan]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: SendConfigReq #6
Mar 29 05:20:58 aragorn ppp: [wan]   IPADDR 0.0.0.0
Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: rec'd Configure Request #39 (Req-Sent)
Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: SendConfigAck #39
Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: state change Req-Sent --> Ack-Sent
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: rec'd Configure Nak #6 (Ack-Sent)
Mar 29 05:20:58 aragorn ppp: [wan]   IPADDR 1xxxxxxxxxxxxxxxxxxx
Mar 29 05:20:58 aragorn ppp: [wan]     1xxxxxxxxxxxxxxxxxxx is OK
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: SendConfigReq #7
Mar 29 05:20:58 aragorn ppp: [wan]   IPADDR 1xxxxxxxxxxxxxxxxxxx
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: rec'd Configure Ack #7 (Ack-Sent)
Mar 29 05:20:58 aragorn ppp: [wan]   IPADDR 1xxxxxxxxxxxxxxxxxxx
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: state change Ack-Sent --> Opened
Mar 29 05:20:58 aragorn ppp: [wan] IPCP: LayerUp
Mar 29 05:20:58 aragorn ppp: [wan]   1xxxxxxxxxxxxxxxxxxx -> provider-gateway-IP
Mar 29 05:20:58 aragorn check_reload_status: rc.newwanip starting pppoe0
Mar 29 05:20:59 aragorn ppp: [wan] IFACE: Up event
Mar 29 05:20:59 aragorn ppp: [wan] IFACE: Rename interface ng0 to pppoe0
Mar 29 05:20:59 aragorn ppp: [wan] IPV6CP: rec'd Configure Ack #3 (Ack-Sent)
Mar 29 05:20:59 aragorn ppp: [wan] IPV6CP: state change Ack-Sent --> Opened
Mar 29 05:20:59 aragorn ppp: [wan] IPV6CP: LayerUp
Mar 29 05:20:59 aragorn ppp: [wan]   0xxxxxxxxxxxxxxxxxxx -> 1xxxxxxxxxxxxxxxxxxx
Mar 29 05:20:59 aragorn check_reload_status: rc.newwanipv6 starting pppoe0
Mar 29 05:20:59 aragorn ppp: [wan_link0] rec'd unexpected protocol IPv6
Mar 29 05:20:59 aragorn php-fpm[64679]: /rc.newwanip: rc.newwanip: Info: starting on pppoe0.
Mar 29 05:20:59 aragorn php-fpm[64679]: /rc.newwanip: rc.newwanip: on (IP address: 1xxxxxxxxxxxxxxxxxxx) (interface: DSL[wan]) (real interface: pppoe0).
Mar 29 05:21:00 aragorn xinetd[24731]: Starting reconfiguration
Mar 29 05:21:00 aragorn xinetd[24731]: Swapping defaults
Mar 29 05:21:00 aragorn xinetd[24731]: readjusting service 19000-tcp
Mar 29 05:21:00 aragorn xinetd[24731]: readjusting service 19001-tcp
Mar 29 05:21:00 aragorn xinetd[24731]: readjusting service 19002-tcp
Mar 29 05:21:00 aragorn xinetd[24731]: Reconfigured: new=0 old=3 dropped=0 (services)
Mar 29 05:21:00 aragorn php-fpm[34513]: /rc.newwanipv6: rc.newwanipv6: Info: starting on pppoe0.
Mar 29 05:21:00 aragorn php-fpm[34513]: /rc.newwanipv6: rc.newwanipv6: No IPv6 address found for interface DSL [wan].
Mar 29 05:21:15 aragorn php-fpm[64679]: /rc.newwanip: Removing static route for monitor 9.9.9.9 and adding a new route through provider-gateway-IP
Mar 29 05:21:15 aragorn php-fpm[64679]: /rc.newwanip: Default gateway setting provider IP4-Gateway as default.
Mar 29 05:21:15 aragorn php-fpm[64679]: /rc.newwanip: IP Address has changed, killing all states (ip_change_kill_states is set).
Mar 29 05:21:27 aragorn php-fpm[64679]: /rc.newwanip: phpDynDNS: updating cache file /conf/dyndns_wan------------'0.cache: 1xxxxxxxxxxxxxxxxxxx
Mar 29 05:21:27 aragorn php-fpm[64679]: /rc.newwanip: phpDynDNS (dyndns): (Success) IP Address Changed Successfully! (1xxxxxxxxxxxxxxxxxxx)
Mar 29 05:21:28 aragorn php-cgi: notify_monitor.php: Message sent to xx@xx.xx OK
Mar 29 05:21:30 aragorn php-fpm[64679]: /rc.newwanip: phpDynDNS: updating cache file /conf/dyndns_wan------------'1.cache: 1xxxxxxxxxxxxxxxxxxx
Mar 29 05:21:30 aragorn php-fpm[64679]: /rc.newwanip: phpDynDNS (dyndns): (Success) IP Address Changed Successfully!
Mar 29 05:21:31 aragorn php-fpm[64679]: /rc.newwanip: Resyncing OpenVPN instances for interface DSL.
Mar 29 05:21:31 aragorn php-fpm[64679]: /rc.newwanip: Creating rrd update script
Mar 29 05:21:34 aragorn php-fpm[64679]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 0xxxxxxxxxxxxxxxxxxx ->  1xxxxxxxxxxxxxxxxxxx - Restarting packages.
Mar 29 05:21:34 aragorn check_reload_status: Starting packages
Mar 29 05:21:35 aragorn php-fpm[34513]: /rc.start_packages: Restarting/Starting all packages.
Mar 29 05:21:35 aragorn php-fpm[34513]: lcdproc: Sync: Begin package sync
Mar 29 05:21:35 aragorn php-fpm[34513]: lcdproc: Sync: End package sync
Mar 29 05:21:35 aragorn LCDd: LCDd version 0.5.9 starting
Mar 29 05:21:35 aragorn LCDd: Using Configuration File: /usr/local/etc/LCDd.conf
Mar 29 05:21:35 aragorn LCDd: Listening for queries on 127.0.0.1:13666
Mar 29 05:21:38 aragorn php: lcdproc: Start client procedure. Error counter: (0)
Mar 29 05:21:38 aragorn php-cgi: notify_monitor.php: Message sent to xx@xx.xx OK
Mar 29 05:21:39 aragorn LCDd: Connect from host 127.0.0.1:15632 on socket 6
Mar 29 05:21:40 aragorn check_reload_status: Syncing firewall
Mar 29 05:21:40 aragorn check_reload_status: Reloading filter
Mar 29 05:21:40 aragorn php-fpm[34513]: [pfBlockerNG] Restarting firewall filter daemon
Mar 29 05:21:42 aragorn php: [pfBlockerNG] DNSBL parser daemon started
Mar 29 05:21:42 aragorn php_pfb: [pfBlockerNG] filterlog daemon started
Mar 29 05:21:42 aragorn xinetd[24731]: Starting reconfiguration
Mar 29 05:21:42 aragorn xinetd[24731]: Swapping defaults
Mar 29 05:21:42 aragorn xinetd[24731]: readjusting service 19000-tcp
Mar 29 05:21:42 aragorn xinetd[24731]: readjusting service 19001-tcp
Mar 29 05:21:42 aragorn xinetd[24731]: readjusting service 19002-tcp
Mar 29 05:21:42 aragorn xinetd[24731]: Reconfigured: new=0 old=3 dropped=0 (services)
Mar 29 05:30:00 aragorn php: [pfBlockerNG] Starting cron process.
Mar 29 05:30:06 aragorn php: [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload

                                    Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
                                    SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
                                    pfsense 2.7.2 CE
                                    Packages: Apcupsd Cron Iftop Iperf LCDproc Nmap pfBlockerNG RRD_Summary Shellcmd Snort Speedtest System_Patches.

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      bmeeks
                                      last edited by Mar 31, 2020, 5:47 PM

                                      Those log entries indicate either an issue with your provider's subsystem (not the physical layer perhaps, but the logical one instead). Or it could be problems in the PPPoE daemon within pfSense. That area is not within my expertise.

                                      What is puzzling is why, a the end of that log when pfSense logs a "...restarting packages..." command, that I see it restart pfBlockerNG but not Snort. Snort is like every typical package and puts a shell script entry in the config.xml file so pfSense can find the shell script and execute Snort service stops and starts.

                                      F 1 Reply Last reply Mar 31, 2020, 5:54 PM Reply Quote 0
                                      • F
                                        fireodo @bmeeks
                                        last edited by fireodo Mar 31, 2020, 5:57 PM Mar 31, 2020, 5:54 PM

                                        @bmeeks said in Snort not restart on interface:

                                        Those log entries indicate either an issue with your provider's subsystem (not the physical layer perhaps, but the logical one instead). Or it could be problems in the PPPoE daemon within pfSense. That area is not within my expertise.

                                        What is puzzling is why, a the end of that log when pfSense logs a "...restarting packages..." command, that I see it restart pfBlockerNG but not Snort. Snort is like every typical package and puts a shell script entry in the config.xml file so pfSense can find the shell script and execute Snort service stops and starts.
                                        Thats correct: ```
                                        <rcfile>snort.sh</rcfile>
                                        <executable>snort</executable>

                                        Thats why I tried to uninstall and reinstall snort ...

                                        Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
                                        SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
                                        pfsense 2.7.2 CE
                                        Packages: Apcupsd Cron Iftop Iperf LCDproc Nmap pfBlockerNG RRD_Summary Shellcmd Snort Speedtest System_Patches.

                                        B 1 Reply Last reply Mar 31, 2020, 5:57 PM Reply Quote 0
                                        • B
                                          bmeeks @fireodo
                                          last edited by Mar 31, 2020, 5:57 PM

                                          @fireodo said in Snort not restart on interface:

                                          Thats why I tried to uninstall and reinstall snort ...

                                          I'm looking into it. Is this behavior something you just noticed after upgrading to 2.4.5?

                                          F 1 Reply Last reply Mar 31, 2020, 6:05 PM Reply Quote 0
                                          16 out of 43
                                          • First post
                                            16/43
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.