Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort 2.8.2.6 problems running. Snort failing to run.

    pfSense Packages
    5
    6
    3091
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pm26862 last edited by

      I have been having a issue with snort and found it to be any time I make a change(click on save) that requires to rebuild the file /usr/local/etc/rc.d/snort.sh. Or after a reboot snort.sh appears to get rebuilt after a reboot.
      Once the file is rebuilt it will not start up again. And this is because a ";" after the "&" sign is put in the startup code which causes the script to fail. This will execute all statements including the whitelist.

      Here is a example of the bad code:
      BEFORE_MEM=top | grep Free | grep Wired | awk '{print $10}'
      /bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c;sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i ng0 -A fast &;sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert
      echo "Sleeping before final memory sampling…"
      sleep 17

      Once I removed the ";" the script runs succesfully(note the ";" needs to be removed for each interface your are monitoring and only remove the ";" after the "&"). Hope this helps others. And maybe someone could possibly make a change in Pfsense code to resolve this issue.

      Thanks,

      ~Paul

      1 Reply Last reply Reply Quote 0
      • L
        linch last edited by

        Hey man - you made my day…. ;D

        Thanks a TON.

        1 Reply Last reply Reply Quote 0
        • G
          grandrivers last edited by

          the removal of & did the trick for dual wan as well thanks a bunch

          pfsense 2.4 super micro A1SRM-2558F
          C2558 8gig ECC  60gig SSD
          tripple Wan dual pppoe

          1 Reply Last reply Reply Quote 0
          • T
            t3rmin last edited by

            Cool, thanks.

            The & seems to come back every time you click "save" on the Snort config page, tho. Would be nice to get this fix committed. ;-)

            1 Reply Last reply Reply Quote 0
            • G
              grandrivers last edited by

              the removal of & allowed snort to start.  but now it is not auto whitelisting the wan and opt1 ip addresses

              pfsense 2.4 super micro A1SRM-2558F
              C2558 8gig ECC  60gig SSD
              tripple Wan dual pppoe

              1 Reply Last reply Reply Quote 0
              • K
                korkakak last edited by

                for my version:

                
                # uname -a
                FreeBSD cerberus 7.0-RELEASE-p8 FreeBSD 7.0-RELEASE-p8 #0: Thu Jan  8 22:07:30 EST 2009     sullrich@freebsd7-releng_1_2_1.pfsense.org:/usr/obj.pfSense/usr/src/sys/pfSense.7  i386
                
                

                pm26862 is right! The syntax of the & together with ; is mistaken and should be corrected.
                the way to correct this issue is two fold;

                First for operetion  where the process is sent to background (via the & operator) you must exclude the end of statement operator (;) and/or change line.

                For instance my config in the critical section looks like that :

                
                /bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c
                sleep 8
                snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i ng0 -A fast &
                sleep 8
                snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i dc0 -A fast &
                echo "Sleeping before final memory sampling..."
                sleep 17
                
                

                Each command is on a one liner, hope it helps. Keep in mind that removal of the & operator (send to background) does not allow the script to continue with all its operations until the snort -c directive return from execution (that's why blacklisting works only for the first declared device).

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post