Snort 2.8.2.6 problems running. Snort failing to run.
-
I have been having a issue with snort and found it to be any time I make a change(click on save) that requires to rebuild the file /usr/local/etc/rc.d/snort.sh. Or after a reboot snort.sh appears to get rebuilt after a reboot.
Once the file is rebuilt it will not start up again. And this is because a ";" after the "&" sign is put in the startup code which causes the script to fail. This will execute all statements including the whitelist.Here is a example of the bad code:
BEFORE_MEM=top | grep Free | grep Wired | awk '{print $10}'
/bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c;sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i ng0 -A fast &;sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert
echo "Sleeping before final memory sampling…"
sleep 17Once I removed the ";" the script runs succesfully(note the ";" needs to be removed for each interface your are monitoring and only remove the ";" after the "&"). Hope this helps others. And maybe someone could possibly make a change in Pfsense code to resolve this issue.
Thanks,
~Paul
-
Hey man - you made my day…. ;D
Thanks a TON.
-
the removal of & did the trick for dual wan as well thanks a bunch
-
Cool, thanks.
The & seems to come back every time you click "save" on the Snort config page, tho. Would be nice to get this fix committed. ;-)
-
the removal of & allowed snort to start. but now it is not auto whitelisting the wan and opt1 ip addresses
-
for my version:
# uname -a FreeBSD cerberus 7.0-RELEASE-p8 FreeBSD 7.0-RELEASE-p8 #0: Thu Jan 8 22:07:30 EST 2009 sullrich@freebsd7-releng_1_2_1.pfsense.org:/usr/obj.pfSense/usr/src/sys/pfSense.7 i386pm26862 is right! The syntax of the & together with ; is mistaken and should be corrected.
the way to correct this issue is two fold;First for operetion where the process is sent to background (via the & operator) you must exclude the end of statement operator (;) and/or change line.
For instance my config in the critical section looks like that :
/bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c sleep 8 snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i ng0 -A fast & sleep 8 snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i dc0 -A fast & echo "Sleeping before final memory sampling..." sleep 17Each command is on a one liner, hope it helps. Keep in mind that removal of the & operator (send to background) does not allow the script to continue with all its operations until the snort -c directive return from execution (that's why blacklisting works only for the first declared device).