Snort 2.8.2.6 problems running. Snort failing to run.

pm26862

I have been having a issue with snort and found it to be any time I make a change(click on save) that requires to rebuild the file /usr/local/etc/rc.d/snort.sh. Or after a reboot snort.sh appears to get rebuilt after a reboot.
Once the file is rebuilt it will not start up again. And this is because a ";" after the "&" sign is put in the startup code which causes the script to fail. This will execute all statements including the whitelist.

Here is a example of the bad code:
BEFORE_MEM=top | grep Free | grep Wired | awk '{print $10}'
/bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c;sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i ng0 -A fast &;sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert
echo "Sleeping before final memory sampling…"
sleep 17

Once I removed the ";" the script runs succesfully(note the ";" needs to be removed for each interface your are monitoring and only remove the ";" after the "&"). Hope this helps others. And maybe someone could possibly make a change in Pfsense code to resolve this issue.

Thanks,

~Paul

linch

Hey man - you made my day…. ;D

Thanks a TON.

grandrivers

the removal of & did the trick for dual wan as well thanks a bunch

t3rmin

Cool, thanks.

The & seems to come back every time you click "save" on the Snort config page, tho. Would be nice to get this fix committed. ;-)

grandrivers

the removal of & allowed snort to start.  but now it is not auto whitelisting the wan and opt1 ip addresses

korkakak

for my version:

# uname -a
FreeBSD cerberus 7.0-RELEASE-p8 FreeBSD 7.0-RELEASE-p8 #0: Thu Jan  8 22:07:30 EST 2009     sullrich@freebsd7-releng_1_2_1.pfsense.org:/usr/obj.pfSense/usr/src/sys/pfSense.7  i386

pm26862 is right! The syntax of the & together with ; is mistaken and should be corrected.
the way to correct this issue is two fold;

First for operetion  where the process is sent to background (via the & operator) you must exclude the end of statement operator (;) and/or change line.

For instance my config in the critical section looks like that :

/bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c
sleep 8
snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i ng0 -A fast &
sleep 8
snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i dc0 -A fast &
echo "Sleeping before final memory sampling..."
sleep 17

Each command is on a one liner, hope it helps. Keep in mind that removal of the & operator (send to background) does not allow the script to continue with all its operations until the snort -c directive return from execution (that's why blacklisting works only for the first declared device).