Snort problems running. Snort failing to run.

  • I have been having a issue with snort and found it to be any time I make a change(click on save) that requires to rebuild the file /usr/local/etc/rc.d/ Or after a reboot appears to get rebuilt after a reboot.
    Once the file is rebuilt it will not start up again. And this is because a ";" after the "&" sign is put in the startup code which causes the script to fail. This will execute all statements including the whitelist.

    Here is a example of the bad code:
    BEFORE_MEM=top | grep Free | grep Wired | awk '{print $10}'
    /bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c;sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i ng0 -A fast &;sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert
    echo "Sleeping before final memory sampling…"
    sleep 17

    Once I removed the ";" the script runs succesfully(note the ";" needs to be removed for each interface your are monitoring and only remove the ";" after the "&"). Hope this helps others. And maybe someone could possibly make a change in Pfsense code to resolve this issue.



  • Hey man - you made my day…. ;D

    Thanks a TON.

  • the removal of & did the trick for dual wan as well thanks a bunch

  • Cool, thanks.

    The & seems to come back every time you click "save" on the Snort config page, tho. Would be nice to get this fix committed. ;-)

  • the removal of & allowed snort to start.  but now it is not auto whitelisting the wan and opt1 ip addresses

  • for my version:

    # uname -a
    FreeBSD cerberus 7.0-RELEASE-p8 FreeBSD 7.0-RELEASE-p8 #0: Thu Jan  8 22:07:30 EST 2009  i386

    pm26862 is right! The syntax of the & together with ; is mistaken and should be corrected.
    the way to correct this issue is two fold;

    First for operetion  where the process is sent to background (via the & operator) you must exclude the end of statement operator (;) and/or change line.

    For instance my config in the critical section looks like that :

    /bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c
    sleep 8
    snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i ng0 -A fast &
    sleep 8
    snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i dc0 -A fast &
    echo "Sleeping before final memory sampling..."
    sleep 17

    Each command is on a one liner, hope it helps. Keep in mind that removal of the & operator (send to background) does not allow the script to continue with all its operations until the snort -c directive return from execution (that's why blacklisting works only for the first declared device).

Log in to reply