Snort not restart on interface
-
@bmeeks said in Snort not restart on interface:
@fireodo said in Snort not restart on interface:
@bmeeks said in Snort not restart on interface:
@fireodo said in Snort not restart on interface:
@bmeeks said in Snort not restart on interface:
@fireodo said in Snort not restart on interface:
@bmeeks said in Snort not restart on interface:
@fireodo:
So Snort is not stopping, it just stops giving alerts?If that is the case, then it is going to be related to the
pppoe0
virtual interface in some manner. And further, it may belibpcap
that is "losing" the interface because it does not see the change. I am not familiar with the internals of thelibpcap
library.Yes it stop giving alerts and I see in the last alert given, that the alert refers to the previous IP!
This is normal in dmesg:
pppoe0: promiscuous mode disabled # before pppoe reconnection snort shutdown
ng0: changing name to 'pppoe0' # pppoe reconnection and up
pppoe0: promiscuous mode enabled # after pppoe reconnection snort restartIn the special disconnection case the middle line is missing.
Yes, that could be a problem either in FreeBSD with the plumbing of PPPoE interfaces, or it could be an issue inside the
libpcap
library. I'm kind of leaning towardslibpcap
, but that's just a hunch.Is the IP change triggering Snort to restart? It should because pfSense has (or had) an internal process that restarted packages when IP addresses changed. If Snort restarts, then it surely should see the new IP. The pfSense package restart script simply executes a shell script provided by each installed package. The Snort shell script is
/usr/local/etc/rc.d/snort.sh
. That script should be called with "restart" or else "stop, start" as arguments. So you should see system log entries from that shell script showing it shutting down Snort and starting it up again.Seeing a copy of your system log while this interruption is happening would be helpful.
I would like to send you that logfile private - how can I do that?
All I need to see are the handful of lines related to Snort being restarted. There is no private information in those entries. Just snip out or otherwise copy and paste the relevant lines into a post here. To keep from getting overwhelmed from users around the world, I don't do any one-on-one troubleshooting with users. I like to keep all the interractions public so the entire user community can see issues and benefit from also seeing the eventual solutions.
Is this sufficient: clog /var/log/system.log | grep snort ?
Yes, that should do it.
Mar 29 03:10:01 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0. Mar 29 03:10:01 aragorn snort[78243]: spo_pf -> deleted address xxx.x30.101.206 from automatic IP Pass List. Mar 29 03:10:05 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0. Mar 29 03:10:05 aragorn snort[78243]: spo_pf -> deleted address fe80::20d:b9ff:fe46:725c from automatic IP Pass List. Mar 29 03:10:07 aragorn snort[78243]: Can't acquire (-1) - The interface disappeared! Mar 29 03:10:08 aragorn snort[78243]: =============================================================================== Mar 29 03:10:08 aragorn snort[78243]: Packet I/O Totals: Mar 29 03:10:08 aragorn snort[78243]: Received: 931413 Mar 29 03:10:08 aragorn snort[78243]: Analyzed: 931444 (100.003%) Mar 29 03:10:08 aragorn snort[78243]: Dropped: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Filtered: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Outstanding: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Injected: 0 Mar 29 03:10:08 aragorn snort[78243]: =============================================================================== Mar 29 03:10:08 aragorn snort[78243]: Breakdown by protocol (includes rebuilt packets): Mar 29 03:10:08 aragorn snort[78243]: Eth: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: VLAN: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: IP4: 932253 (100.000%) Mar 29 03:10:08 aragorn snort[78243]: Frag: 4 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: ICMP: 129701 ( 13.913%) Mar 29 03:10:08 aragorn snort[78243]: UDP: 130579 ( 14.007%) Mar 29 03:10:08 aragorn snort[78243]: TCP: 671916 ( 72.074%) Mar 29 03:10:08 aragorn snort[78243]: IP6: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: IP6 Ext: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: IP6 Opts: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Frag6: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: ICMP6: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: UDP6: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: TCP6: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Teredo: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: ICMP-IP: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: IP4/IP4: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: IP4/IP6: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: IP6/IP4: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: IP6/IP6: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: GRE: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: GRE Eth: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: GRE VLAN: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: GRE IP4: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: GRE IP6: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: GRE IP6 Ext: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: GRE PPTP: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: GRE ARP: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: GRE IPX: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: GRE Loop: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: MPLS: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: ARP: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: IPX: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Eth Loop: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Eth Disc: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: IP4 Disc: 55 ( 0.006%) Mar 29 03:10:08 aragorn snort[78243]: IP6 Disc: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: TCP Disc: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: UDP Disc: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: ICMP Disc: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: All Discard: 55 ( 0.006%) Mar 29 03:10:08 aragorn snort[78243]: Other: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Bad Chk Sum: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Bad TTL: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: S5 G 1: 353 ( 0.038%) Mar 29 03:10:08 aragorn snort[78243]: S5 G 2: 454 ( 0.049%) Mar 29 03:10:08 aragorn snort[78243]: Total: 932253 Mar 29 03:10:08 aragorn snort[78243]: =============================================================================== Mar 29 03:10:08 aragorn snort[78243]: Action Stats: Mar 29 03:10:08 aragorn snort[78243]: Alerts: 396 ( 0.042%) Mar 29 03:10:08 aragorn snort[78243]: Logged: 396 ( 0.042%) Mar 29 03:10:08 aragorn snort[78243]: Passed: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Limits: Mar 29 03:10:08 aragorn snort[78243]: Match: 0 Mar 29 03:10:08 aragorn snort[78243]: Queue: 0 Mar 29 03:10:08 aragorn snort[78243]: Log: 1 Mar 29 03:10:08 aragorn snort[78243]: Event: 216 Mar 29 03:10:08 aragorn snort[78243]: Alert: 0 Mar 29 03:10:08 aragorn snort[78243]: Verdicts: Mar 29 03:10:08 aragorn snort[78243]: Allow: 432908 ( 46.479%) Mar 29 03:10:08 aragorn snort[78243]: Block: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Replace: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Whitelist: 498536 ( 53.525%) Mar 29 03:10:08 aragorn snort[78243]: Blacklist: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Ignore: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: Retry: 0 ( 0.000%) Mar 29 03:10:08 aragorn snort[78243]: =============================================================================== Mar 29 03:10:08 aragorn snort[78243]: Frag3 statistics: Mar 29 03:10:08 aragorn snort[78243]: Total Fragments: 4 Mar 29 03:10:08 aragorn snort[78243]: Frags Reassembled: 2 Mar 29 03:10:08 aragorn snort[78243]: Discards: 0 Mar 29 03:10:08 aragorn snort[78243]: Memory Faults: 0 Mar 29 03:10:08 aragorn snort[78243]: Timeouts: 0 Mar 29 03:10:08 aragorn snort[78243]: Overlaps: 0 Mar 29 03:10:08 aragorn snort[78243]: Anomalies: 0 Mar 29 03:10:08 aragorn snort[78243]: Alerts: 0 Mar 29 03:10:08 aragorn snort[78243]: Drops: 0 Mar 29 03:10:08 aragorn snort[78243]: FragTrackers Added: 2 Mar 29 03:10:08 aragorn snort[78243]: FragTrackers Dumped: 2 Mar 29 03:10:08 aragorn snort[78243]: FragTrackers Auto Freed: 0 Mar 29 03:10:08 aragorn snort[78243]: Frag Nodes Inserted: 4 Mar 29 03:10:08 aragorn snort[78243]: Frag Nodes Deleted: 4 Mar 29 03:10:08 aragorn snort[78243]: =============================================================================== Mar 29 03:10:08 aragorn snort[78243]: =============================================================================== Mar 29 03:10:08 aragorn snort[78243]: Stream statistics: Mar 29 03:10:08 aragorn snort[78243]: Total sessions: 15253 Mar 29 03:10:08 aragorn snort[78243]: TCP sessions: 12791 Mar 29 03:10:08 aragorn snort[78243]: UDP sessions: 2462 Mar 29 03:10:08 aragorn snort[78243]: ICMP sessions: 0 Mar 29 03:10:08 aragorn snort[78243]: IP sessions: 0 Mar 29 03:10:08 aragorn snort[78243]: TCP Prunes: 0 Mar 29 03:10:08 aragorn snort[78243]: UDP Prunes: 0 Mar 29 03:10:08 aragorn snort[78243]: ICMP Prunes: 0 Mar 29 03:10:08 aragorn snort[78243]: IP Prunes: 0 Mar 29 03:10:08 aragorn snort[78243]: TCP StreamTrackers Created: 12791 Mar 29 03:10:08 aragorn snort[78243]: TCP StreamTrackers Deleted: 12791 Mar 29 03:10:08 aragorn snort[78243]: TCP Timeouts: 0 Mar 29 03:10:08 aragorn snort[78243]: TCP Overlaps: 0 Mar 29 03:10:08 aragorn snort[78243]: TCP Segments Queued: 38227 Mar 29 03:10:08 aragorn snort[78243]: TCP Segments Released: 38227 Mar 29 03:10:08 aragorn snort[78243]: TCP Rebuilt Packets: 20872 Mar 29 03:10:08 aragorn snort[78243]: TCP Segments Used: 30138 Mar 29 03:10:08 aragorn snort[78243]: TCP Discards: 3388 Mar 29 03:10:08 aragorn snort[78243]: TCP Gaps: 546 Mar 29 03:10:08 aragorn snort[78243]: UDP Sessions Created: 2462 Mar 29 03:10:08 aragorn snort[78243]: UDP Sessions Deleted: 2462 Mar 29 03:10:08 aragorn snort[78243]: UDP Timeouts: 0 Mar 29 03:10:08 aragorn snort[78243]: UDP Discards: 0 Mar 29 03:10:08 aragorn snort[78243]: Events: 0 Mar 29 03:10:08 aragorn snort[78243]: Internal Events: 0 Mar 29 03:10:08 aragorn snort[78243]: TCP Port Filter Mar 29 03:10:08 aragorn snort[78243]: Filtered: 0 Mar 29 03:10:08 aragorn snort[78243]: Inspected: 0 Mar 29 03:10:08 aragorn snort[78243]: Tracked: 671109 Mar 29 03:10:08 aragorn snort[78243]: UDP Port Filter Mar 29 03:10:08 aragorn snort[78243]: Filtered: 0 Mar 29 03:10:08 aragorn snort[78243]: Inspected: 0 Mar 29 03:10:08 aragorn snort[78243]: Tracked: 2462 Mar 29 03:10:08 aragorn snort[78243]: =============================================================================== Mar 29 03:10:08 aragorn snort[78243]: HTTP Inspect - encodings (Note: stream-reassembled packets included): Mar 29 03:10:08 aragorn snort[78243]: POST methods: 67 Mar 29 03:10:08 aragorn snort[78243]: GET methods: 2919 Mar 29 03:10:08 aragorn snort[78243]: HTTP Request Headers extracted: 2989 Mar 29 03:10:08 aragorn snort[78243]: HTTP Request Cookies extracted: 20 Mar 29 03:10:08 aragorn snort[78243]: Post parameters extracted: 65 Mar 29 03:10:08 aragorn snort[78243]: HTTP response Headers extracted: 2987 Mar 29 03:10:08 aragorn snort[78243]: HTTP Response Cookies extracted: 15 Mar 29 03:10:08 aragorn snort[78243]: Unicode: 0 Mar 29 03:10:08 aragorn snort[78243]: Double unicode: 0 Mar 29 03:10:08 aragorn snort[78243]: Non-ASCII representable: 0 Mar 29 03:10:08 aragorn snort[78243]: Directory traversals: 0 Mar 29 03:10:08 aragorn snort[78243]: Extra slashes ("//"): 1954 Mar 29 03:10:08 aragorn snort[78243]: Self-referencing paths ("./"): 0 Mar 29 03:10:08 aragorn snort[78243]: HTTP Response Gzip packets extracted: 38 Mar 29 03:10:08 aragorn snort[78243]: Gzip Compressed Data Processed: 112157.00 Mar 29 03:10:08 aragorn snort[78243]: Gzip Decompressed Data Processed: 494809.00 Mar 29 03:10:08 aragorn snort[78243]: Http/2 Rebuilt Packets: 0 Mar 29 03:10:08 aragorn snort[78243]: Total packets processed: 15389 Mar 29 03:10:08 aragorn snort[78243]: =============================================================================== Mar 29 03:10:08 aragorn snort[78243]: SSL Preprocessor: Mar 29 03:10:08 aragorn snort[78243]: SSL packets decoded: 43688 Mar 29 03:10:08 aragorn snort[78243]: Client Hello: 3513 Mar 29 03:10:08 aragorn snort[78243]: Server Hello: 3468 Mar 29 03:10:08 aragorn snort[78243]: Certificate: 2276 Mar 29 03:10:08 aragorn snort[78243]: Server Done: 6820 Mar 29 03:10:08 aragorn snort[78243]: Client Key Exchange: 2166 Mar 29 03:10:08 aragorn snort[78243]: Server Key Exchange: 1942 Mar 29 03:10:08 aragorn snort[78243]: Change Cipher: 6073 Mar 29 03:10:08 aragorn snort[78243]: Finished: 0 Mar 29 03:10:08 aragorn snort[78243]: Client Application: 9752 Mar 29 03:10:08 aragorn snort[78243]: Server Application: 7820 Mar 29 03:10:08 aragorn snort[78243]: Alert: 788 Mar 29 03:10:08 aragorn snort[78243]: Unrecognized records: 15469 Mar 29 03:10:08 aragorn snort[78243]: Completed handshakes: 0 Mar 29 03:10:08 aragorn snort[78243]: Bad handshakes: 0 Mar 29 03:10:08 aragorn snort[78243]: Sessions ignored: 6374 Mar 29 03:10:08 aragorn snort[78243]: Detection disabled: 1043 Mar 29 03:10:08 aragorn snort[78243]: =============================================================================== Mar 29 03:10:08 aragorn snort[78243]: SIP Preprocessor Statistics Mar 29 03:10:08 aragorn snort[78243]: Total sessions: 37 Mar 29 03:10:08 aragorn snort[78243]: SIP anomalies : 1 Mar 29 03:10:08 aragorn snort[78243]: Total dialogs: 39 Mar 29 03:10:08 aragorn snort[78243]: Requests: 771 Mar 29 03:10:08 aragorn snort[78243]: invite: 4 Mar 29 03:10:08 aragorn snort[78243]: cancel: 1 Mar 29 03:10:08 aragorn snort[78243]: ack: 2 Mar 29 03:10:08 aragorn snort[78243]: bye: 1 Mar 29 03:10:08 aragorn snort[78243]: register: 736 Mar 29 03:10:08 aragorn snort[78243]: options: 27 Mar 29 03:10:08 aragorn snort[78243]: refer: 0 Mar 29 03:10:08 aragorn snort[78243]: subscribe: 0 Mar 29 03:10:08 aragorn snort[78243]: update: 0 Mar 29 03:10:08 aragorn snort[78243]: join: 0 Mar 29 03:10:08 aragorn snort[78243]: info: 0 Mar 29 03:10:08 aragorn snort[78243]: message: 0 Mar 29 03:10:08 aragorn snort[78243]: notify: 0 Mar 29 03:10:08 aragorn snort[78243]: prack: 0 Mar 29 03:10:08 aragorn snort[78243]: Responses: 744 Mar 29 03:10:08 aragorn snort[78243]: 1xx: 4 Mar 29 03:10:08 aragorn snort[78243]: 2xx: 605 Mar 29 03:10:08 aragorn snort[78243]: 3xx: 0 Mar 29 03:10:08 aragorn snort[78243]: 4xx: 135 Mar 29 03:10:08 aragorn snort[78243]: 5xx: 0 Mar 29 03:10:08 aragorn snort[78243]: 6xx: 0 Mar 29 03:10:08 aragorn snort[78243]: 7xx: 0 Mar 29 03:10:08 aragorn snort[78243]: 8xx: 0 Mar 29 03:10:08 aragorn snort[78243]: 9xx: 0 Mar 29 03:10:08 aragorn snort[78243]: Ignore sessions: 0 Mar 29 03:10:08 aragorn snort[78243]: Ignore channels: 0 Mar 29 03:10:08 aragorn snort[78243]: =============================================================================== Mar 29 03:10:08 aragorn snort[78243]: dcerpc2 Preprocessor Statistics Mar 29 03:10:08 aragorn snort[78243]: Total sessions: 0 Mar 29 03:10:08 aragorn snort[78243]: =============================================================================== Mar 29 03:10:08 aragorn snort[78243]: +-----------------------[filtered events]-------------------------------------- Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403336 type=Limit tracking=src count=1 seconds=3600 filtered=1 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403300 type=Limit tracking=src count=1 seconds=3600 filtered=1 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403420 type=Limit tracking=src count=1 seconds=3600 filtered=1 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403306 type=Limit tracking=src count=1 seconds=3600 filtered=1 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403462 type=Limit tracking=src count=1 seconds=3600 filtered=2 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403470 type=Limit tracking=src count=1 seconds=3600 filtered=15 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403428 type=Limit tracking=src count=1 seconds=3600 filtered=4 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403478 type=Limit tracking=src count=1 seconds=3600 filtered=6 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403452 type=Limit tracking=src count=1 seconds=3600 filtered=18 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403444 type=Limit tracking=src count=1 seconds=3600 filtered=11 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403348 type=Limit tracking=src count=1 seconds=3600 filtered=1 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403372 type=Limit tracking=src count=1 seconds=3600 filtered=3 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403352 type=Limit tracking=src count=1 seconds=3600 filtered=18 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2017919 type=Both tracking=dst count=2 seconds=60 filtered=1 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403434 type=Limit tracking=src count=1 seconds=3600 filtered=10 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2402000 type=Limit tracking=src count=1 seconds=3600 filtered=118 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403346 type=Limit tracking=src count=1 seconds=3600 filtered=2 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=1 sig-id=2403435 type=Limit tracking=src count=1 seconds=3600 filtered=2 Mar 29 03:10:08 aragorn snort[78243]: | gen-id=119 sig-id=31 type=Suppress tracking=none filtered=1 Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0. Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> added address xxx.x30.108.45 to automatic interface IP Pass List. Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0. Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> added address fe80::20d:b9ff:fe46:725c to automatic interface IP Pass List. Mar 29 03:10:09 aragorn snort[78243]: Snort exiting Mar 29 06:43:34 aragorn php-fpm[22416]: /snort/snort_interfaces.php: Restarting Snort on DSL(pppoe0) per user request... Mar 29 06:43:34 aragorn php-fpm[22416]: /snort/snort_interfaces.php: [Snort] Snort STOP for DSL(pppoe0)... Mar 29 06:43:35 aragorn snort[10517]: *** Caught Term-Signal Mar 29 06:43:37 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Updating rules configuration for: DSL ... Mar 29 06:43:45 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Enabling any flowbit-required rules for: DSL... Mar 29 06:43:46 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Building new sid-msg.map file for DSL... Mar 29 06:43:48 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Snort START for DSL(pppoe0)... Mar 29 06:47:50 aragorn snort[14301]: *** Caught Term-Signal Mar 29 06:48:07 aragorn php: /etc/rc.packages: Beginning package installation for snort . Mar 29 06:48:07 aragorn php: /etc/rc.packages: [Snort] There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29151.tar.gz... Mar 29 06:49:39 aragorn php: /etc/rc.packages: Successfully installed package: snort. Mar 29 06:49:39 aragorn pkg-static: pfSense-pkg-snort reinstalled: 3.2.9.10_2 -> 3.2.9.10_2 Mar 29 09:58:33 aragorn php-fpm[7022]: /snort/snort_interfaces.php: Restarting Snort on DSL(pppoe0) per user request... Mar 29 09:58:33 aragorn php-fpm[7022]: /snort/snort_interfaces.php: [Snort] Snort STOP for DSL(pppoe0)... Mar 29 09:58:34 aragorn snort[4949]: *** Caught Term-Signal Mar 29 09:58:36 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Updating rules configuration for: DSL ... Mar 29 09:58:44 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Enabling any flowbit-required rules for: DSL... Mar 29 09:58:45 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Building new sid-msg.map file for DSL... Mar 29 09:58:47 aragorn php: /tmp/snort_pppoe060605_startcmd.php: [Snort] Snort START for DSL(pppoe0)... Mar 30 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort Subscriber rules are up to date... Mar 30 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date... Mar 30 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories. Mar 30 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Removed 0 obsoleted rules category files. Mar 30 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished. Mar 30 16:39:59 aragorn php-fpm[17783]: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: DSL ... Mar 30 16:40:07 aragorn php-fpm[17783]: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: DSL... Mar 30 16:40:07 aragorn php-fpm[17783]: /snort/snort_preprocessors.php: [Snort] Building new sid-msg.map file for DSL... Mar 31 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort Subscriber rules are up to date... Mar 31 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date... Mar 31 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories. Mar 31 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Removed 0 obsoleted rules category files. Mar 31 02:20:01 aragorn php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
-
That log snippet was helpful. It is as I suspected. Snort and
libpcap
can't find thepppoe0
interface after the PPoE connection cycles. I see the logged messages from that internal routine I mentioned that is monitoring the FreeBSD routing messages. Snort detects that the WAN IP has changed, so the automatic pass list will adjust. However, then something happens to the originalpppoe0
instance such thatlibpcap
can no longer see it.Might be this is a timing issue. Maybe this is a timing issue with the way FreeBSD is adjusting to the modem losing sync and re-establishing the connection ???
These are the key lines from your logs --
Mar 29 03:10:01 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0. Mar 29 03:10:01 aragorn snort[78243]: spo_pf -> deleted address xxx.x30.101.206 from automatic IP Pass List. Mar 29 03:10:05 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0. Mar 29 03:10:05 aragorn snort[78243]: spo_pf -> deleted address fe80::20d:b9ff:fe46:725c from automatic IP Pass List. Mar 29 03:10:07 aragorn snort[78243]: Can't acquire (-1) - The interface disappeared!
See how it loses the ability to see the
pppoe0
interface.These entries a little farther down are a bit curious, though --
Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0. Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> added address xxx.x30.108.45 to automatic interface IP Pass List. Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0. Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> added address fe80::20d:b9ff:fe46:725c to automatic interface IP Pass List. Mar 29 03:10:09 aragorn snort[78243]: Snort exiting
The timing seems off. What made Snort exit ad 03:10:09? Was that manual intervention by you, or did some script restart Snort?
-
@bmeeks said in Snort not restart on interface:
That log snippet was helpful. It is as I suspected. Snort and
libpcap
can't find thepppoe0
interface after the PPoE connection cycles. I see the logged messages from that internal routine I mentioned that is monitoring the FreeBSD routing messages. Snort detects that the WAN IP has changed, so the automatic pass list will adjust. However, then something happens to the originalpppoe0
instance such thatlibpcap
can no longer see it.Might be this is a timing issue. Maybe this is a timing issue with the way FreeBSD is adjusting to the modem losing sync and re-establishing the connection ???
These are the key lines from your logs --
Mar 29 03:10:01 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0. Mar 29 03:10:01 aragorn snort[78243]: spo_pf -> deleted address xxx.x30.101.206 from automatic IP Pass List. Mar 29 03:10:05 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0. Mar 29 03:10:05 aragorn snort[78243]: spo_pf -> deleted address fe80::20d:b9ff:fe46:725c from automatic IP Pass List. Mar 29 03:10:07 aragorn snort[78243]: Can't acquire (-1) - The interface disappeared!
See how it loses the ability to see the
pppoe0
interface.These entries a little farther down are a bit curious, though --
Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0. Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> added address xxx.x30.108.45 to automatic interface IP Pass List. Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> Received notification of IP address change on interface pppoe0. Mar 29 03:10:08 aragorn snort[78243]: spo_pf -> added address fe80::20d:b9ff:fe46:725c to automatic interface IP Pass List. Mar 29 03:10:09 aragorn snort[78243]: Snort exiting
The timing seems off. What made Snort exit ad 03:10:09? Was that manual intervention by you, or did some script restart Snort?
At 03:10 this was a regular pppoe restart initiated by cron.
-
Initiated by cron? You have periodic restarts enabled? So if one of these periodic restarts happens to coincide with a loss of sync by your modem and subsequent reset of the
pppoe0
connection, then I can see howlibpcap
and Snort might get confused. For example, during the instant when the cron task is recycling PPPoE, Snort trys to connect to the interface and because the modem just lost sync and FreeBSD is trying to re-establish that interface, it is not available. Thus Snort andlibpcap
can't find it.Is the cron task something you set up? If so, I would try disabling it for a bit.
If your PPPoE connection is so unstable that you need to resort to cron task restarts on some basis, I would go fuss at my ISP and have them fix the underlying issue with your connection.
-
@bmeeks said in Snort not restart on interface:
Initiated by cron? You have periodic restarts enabled? So if one of these periodic restarts happens to coincide with a loss of sync by your modem and subsequent reset of the
pppoe0
connection, then I can see howlibpcap
and Snort might get confused. For example, during the instant when the cron task is recycling PPPoE, Snort trys to connect to the interface and because the modem just lost sync and FreeBSD is trying to re-establish that interface, it is not available. Thus Snort andlibpcap
can't find it.Is the cron task something you set up? If so, I would try disabling it for a bit.
Yes this is made by me and this works without problems - unfortunally the clog /var/log/system.log | grep snort doesnt cover the date where the unsync happend - thats why I asked you to send the HOLE syslog but not in public.
-
@fireodo said in Snort not restart on interface:
@bmeeks said in Snort not restart on interface:
Initiated by cron? You have periodic restarts enabled? So if one of these periodic restarts happens to coincide with a loss of sync by your modem and subsequent reset of the
pppoe0
connection, then I can see howlibpcap
and Snort might get confused. For example, during the instant when the cron task is recycling PPPoE, Snort trys to connect to the interface and because the modem just lost sync and FreeBSD is trying to re-establish that interface, it is not available. Thus Snort andlibpcap
can't find it.Is the cron task something you set up? If so, I would try disabling it for a bit.
Yes this is made by me and this works without problems - unfortunally the clog /var/log/system.log | grep snort doesnt cover the date where the unsync happend - thats why I asked you to send the HOLE syslog but not in public.
See my earlier reply. Your cron job can really confuse Snort if a periodic restart happens to occur at the same time an actual modem "loss of sync" event is being processed by pfSense. That can result in the cron task restarting Snort before the actual
pppoe0
interface has been re-established by FreeBSD.While loss of sync and connection issues are irritating, I think your cron task solution is a band-aid that might in some sense be making things potentially worse. If your connection is unstable, I would approach your Internet provider first instead of creating workarounds on the firewall.
-
@bmeeks said in Snort not restart on interface:
@fireodo said in Snort not restart on interface:
@bmeeks said in Snort not restart on interface:
Initiated by cron? You have periodic restarts enabled? So if one of these periodic restarts happens to coincide with a loss of sync by your modem and subsequent reset of the
pppoe0
connection, then I can see howlibpcap
and Snort might get confused. For example, during the instant when the cron task is recycling PPPoE, Snort trys to connect to the interface and because the modem just lost sync and FreeBSD is trying to re-establish that interface, it is not available. Thus Snort andlibpcap
can't find it.Is the cron task something you set up? If so, I would try disabling it for a bit.
Yes this is made by me and this works without problems - unfortunally the clog /var/log/system.log | grep snort doesnt cover the date where the unsync happend - thats why I asked you to send the HOLE syslog but not in public.
See my earlier reply. Your cron job can really confuse Snort if a periodic restart happens to occur at the same time an actual modem "loss of sync" event is being processed by pfSense. That can result in the cron task restarting Snort before the actual
pppoe0
interface has been re-established by FreeBSD.While loss of sync and connection issues are irritating, I think your cron task solution is a band-aid that might in some sense be making things potentially worse. If your connection is unstable, I would approach your Internet provider first instead of creating workarounds on the firewall.
No No - the connection is not instable (as I write it was stable about 165 days) This voluntary reconnection daily is for other reasons.
Maybe this helps better: (this is when the resync of the modem occurs)
Mar 29 05:19:49 aragorn ppp: [wan_link0] LCP: no reply to 1 echo request(s) Mar 29 05:19:55 aragorn php: lcdproc: Connection to LCDd process lost () Mar 29 05:19:55 aragorn php: lcdproc: Start client procedure. Error counter: (0) Mar 29 05:19:56 aragorn LCDd: Connect from host 127.0.0.1:56929 on socket 6 Mar 29 05:19:56 aragorn LCDd: sock_send: socket write error Mar 29 05:19:58 aragorn LCDd: sock_send: socket write error Mar 29 05:19:59 aragorn ppp: [wan_link0] LCP: no reply to 2 echo request(s) Mar 29 05:20:00 aragorn LCDd: sock_send: socket write error Mar 29 05:20:02 aragorn LCDd: sock_send: socket write error Mar 29 05:20:04 aragorn LCDd: sock_send: socket write error Mar 29 05:20:06 aragorn LCDd: sock_send: socket write error Mar 29 05:20:08 aragorn LCDd: sock_send: socket write error Mar 29 05:20:09 aragorn ppp: [wan_link0] LCP: no reply to 3 echo request(s) Mar 29 05:20:10 aragorn LCDd: sock_send: socket write error Mar 29 05:20:12 aragorn LCDd: sock_send: socket write error Mar 29 05:20:14 aragorn LCDd: sock_send: socket write error Mar 29 05:20:16 aragorn LCDd: sock_send: socket write error Mar 29 05:20:18 aragorn LCDd: sock_send: socket write error Mar 29 05:20:19 aragorn ppp: [wan_link0] LCP: no reply to 4 echo request(s) Mar 29 05:20:20 aragorn LCDd: sock_send: socket write error Mar 29 05:20:22 aragorn LCDd: sock_send: socket write error Mar 29 05:20:24 aragorn LCDd: sock_send: socket write error Mar 29 05:20:26 aragorn LCDd: sock_send: socket write error Mar 29 05:20:28 aragorn LCDd: sock_send: socket write error Mar 29 05:20:29 aragorn ppp: [wan_link0] LCP: no reply to 5 echo request(s) Mar 29 05:20:29 aragorn ppp: [wan_link0] LCP: peer not responding to echo requests Mar 29 05:20:29 aragorn ppp: [wan_link0] LCP: state change Opened --> Stopping Mar 29 05:20:29 aragorn ppp: [wan_link0] Link: Leave bundle "wan" Mar 29 05:20:29 aragorn ppp: [wan] Bundle: Status update: up 0 links, total bandwidth 9600 bps Mar 29 05:20:29 aragorn ppp: [wan] IPCP: Close event Mar 29 05:20:29 aragorn ppp: [wan] IPCP: state change Opened --> Closing Mar 29 05:20:29 aragorn ppp: [wan] IPCP: SendTerminateReq #4 Mar 29 05:20:29 aragorn ppp: [wan] IPCP: LayerDown Mar 29 05:20:29 aragorn php-cgi: rc.kill_states: rc.kill_states: Removing states for IP 1xxxxxxxxxxxxxxxxxxx/32 Mar 29 05:20:29 aragorn php-cgi: rc.kill_states: rc.kill_states: Removing states for interface pppoe0 Mar 29 05:20:29 aragorn check_reload_status: Rewriting resolv.conf Mar 29 05:20:30 aragorn LCDd: Client on socket 6 disconnected Mar 29 05:20:30 aragorn LCDd: sock_send: socket write error Mar 29 05:20:31 aragorn LCDd: Server shutting down on SIGTERM Mar 29 05:20:31 aragorn LCDd: sock_send: socket write error Mar 29 05:20:32 aragorn ppp: [wan] IPV6CP: Close event Mar 29 05:20:32 aragorn ppp: [wan] IPV6CP: state change Opened --> Closing Mar 29 05:20:32 aragorn ppp: [wan] IPV6CP: SendTerminateReq #2 Mar 29 05:20:32 aragorn ppp: [wan] IPV6CP: LayerDown Mar 29 05:20:32 aragorn php-cgi: rc.kill_states: rc.kill_states: Removing states for IP fe80:xxxxxxxxc%pppoe0/32 Mar 29 05:20:32 aragorn php-cgi: rc.kill_states: rc.kill_states: Removing states for interface pppoe0 Mar 29 05:20:33 aragorn check_reload_status: Rewriting resolv.conf Mar 29 05:20:33 aragorn ppp: [wan] IFACE: Down event Mar 29 05:20:33 aragorn ppp: [wan] IFACE: Rename interface pppoe0 to pppoe0 Mar 29 05:20:33 aragorn ppp: [wan] IPCP: Down event Mar 29 05:20:33 aragorn ppp: [wan] IPCP: LayerFinish Mar 29 05:20:33 aragorn ppp: [wan] IPCP: state change Closing --> Initial Mar 29 05:20:33 aragorn ppp: [wan] IPV6CP: Down event Mar 29 05:20:33 aragorn ppp: [wan] IPV6CP: LayerFinish Mar 29 05:20:33 aragorn ppp: [wan] Bundle: No NCPs left. Closing links... Mar 29 05:20:33 aragorn ppp: [wan] IPV6CP: state change Closing --> Initial Mar 29 05:20:33 aragorn ppp: [wan_link0] LCP: SendTerminateReq #2 Mar 29 05:20:33 aragorn ppp: [wan_link0] LCP: LayerDown Mar 29 05:20:40 aragorn ppp: [wan_link0] LCP: SendTerminateReq #3 Mar 29 05:20:42 aragorn ppp: [wan_link0] LCP: state change Stopping --> Stopped Mar 29 05:20:42 aragorn ppp: [wan_link0] LCP: LayerFinish Mar 29 05:20:42 aragorn ppp: [wan_link0] PPPoE: connection closed Mar 29 05:20:42 aragorn ppp: [wan_link0] Link: DOWN event Mar 29 05:20:42 aragorn ppp: [wan_link0] LCP: Down event Mar 29 05:20:42 aragorn ppp: [wan_link0] LCP: state change Stopped --> Starting Mar 29 05:20:42 aragorn ppp: [wan_link0] LCP: LayerStart Mar 29 05:20:42 aragorn ppp: [wan_link0] Link: reconnection attempt 1 in 4 seconds Mar 29 05:20:46 aragorn ppp: [wan_link0] Link: reconnection attempt 1 Mar 29 05:20:46 aragorn ppp: [wan_link0] PPPoE: Connecting to 'provider' Mar 29 05:20:55 aragorn ppp: [wan_link0] PPPoE connection timeout after 9 seconds Mar 29 05:20:55 aragorn ppp: [wan_link0] Link: DOWN event Mar 29 05:20:55 aragorn ppp: [wan_link0] LCP: Down event Mar 29 05:20:55 aragorn ppp: [wan_link0] Link: reconnection attempt 2 in 1 seconds Mar 29 05:20:56 aragorn ppp: [wan_link0] Link: reconnection attempt 2 Mar 29 05:20:56 aragorn ppp: [wan_link0] PPPoE: Connecting to 'provider' Mar 29 05:20:58 aragorn ppp: PPPoE: rec'd ACNAME "XXXXXX" Mar 29 05:20:58 aragorn ppp: [wan_link0] PPPoE: connection successful Mar 29 05:20:58 aragorn ppp: [wan_link0] Link: UP event Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: Up event Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: state change Starting --> Req-Sent Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: SendConfigReq #4 Mar 29 05:20:58 aragorn ppp: [wan_link0] PROTOCOMP Mar 29 05:20:58 aragorn ppp: [wan_link0] MRU 1492 Mar 29 05:20:58 aragorn ppp: [wan_link0] MAGICNUM 0x8202dc20 Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: rec'd Configure Request #152 (Req-Sent) Mar 29 05:20:58 aragorn ppp: [wan_link0] MRU 1492 Mar 29 05:20:58 aragorn ppp: [wan_link0] AUTHPROTO PAP Mar 29 05:20:58 aragorn ppp: [wan_link0] MAGICNUM 0x476128d2 Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: SendConfigAck #152 Mar 29 05:20:58 aragorn ppp: [wan_link0] MRU 1492 Mar 29 05:20:58 aragorn ppp: [wan_link0] AUTHPROTO PAP Mar 29 05:20:58 aragorn ppp: [wan_link0] MAGICNUM 0x476128d2 Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: rec'd Configure Ack #4 (Ack-Sent) Mar 29 05:20:58 aragorn ppp: [wan_link0] PROTOCOMP Mar 29 05:20:58 aragorn ppp: [wan_link0] MRU 1492 Mar 29 05:20:58 aragorn ppp: [wan_link0] MAGICNUM 0x8202dc20 Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: state change Ack-Sent --> Opened Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing Mar 29 05:20:58 aragorn ppp: [wan_link0] PAP: using authname "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" Mar 29 05:20:58 aragorn ppp: [wan_link0] PAP: sending REQUEST #1 len: 54 Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: LayerUp Mar 29 05:20:58 aragorn ppp: [wan_link0] PAP: rec'd ACK #1 len: 25 Mar 29 05:20:58 aragorn ppp: [wan_link0] MESG: SRU=11992#SRD=59961# Mar 29 05:20:58 aragorn ppp: [wan_link0] LCP: authorization successful Mar 29 05:20:58 aragorn ppp: [wan_link0] Link: Matched action 'bundle "wan" ""' Mar 29 05:20:58 aragorn ppp: [wan_link0] Link: Join bundle "wan" Mar 29 05:20:58 aragorn ppp: [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps Mar 29 05:20:58 aragorn ppp: [wan] IPCP: Open event Mar 29 05:20:58 aragorn ppp: [wan] IPCP: state change Initial --> Starting Mar 29 05:20:58 aragorn ppp: [wan] IPCP: LayerStart Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: Open event Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: state change Initial --> Starting Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: LayerStart Mar 29 05:20:58 aragorn ppp: [wan] IPCP: Up event Mar 29 05:20:58 aragorn ppp: [wan] IPCP: state change Starting --> Req-Sent Mar 29 05:20:58 aragorn ppp: [wan] IPCP: SendConfigReq #5 Mar 29 05:20:58 aragorn ppp: [wan] IPADDR 0.0.0.0 Mar 29 05:20:58 aragorn ppp: [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: Up event Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: state change Starting --> Req-Sent Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: SendConfigReq #3 Mar 29 05:20:58 aragorn ppp: [wan] IPCP: rec'd Configure Request #94 (Req-Sent) Mar 29 05:20:58 aragorn ppp: [wan] IPADDR provider-gateway-IP Mar 29 05:20:58 aragorn ppp: [wan] provider-gateway-IP is OK Mar 29 05:20:58 aragorn ppp: [wan] IPCP: SendConfigAck #94 Mar 29 05:20:58 aragorn ppp: [wan] IPADDR provider-gateway-IP Mar 29 05:20:58 aragorn ppp: [wan] IPCP: state change Req-Sent --> Ack-Sent Mar 29 05:20:58 aragorn ppp: [wan] IPCP: rec'd Configure Reject #5 (Ack-Sent) Mar 29 05:20:58 aragorn ppp: [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid Mar 29 05:20:58 aragorn ppp: [wan] IPCP: SendConfigReq #6 Mar 29 05:20:58 aragorn ppp: [wan] IPADDR 0.0.0.0 Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: rec'd Configure Request #39 (Req-Sent) Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: SendConfigAck #39 Mar 29 05:20:58 aragorn ppp: [wan] IPV6CP: state change Req-Sent --> Ack-Sent Mar 29 05:20:58 aragorn ppp: [wan] IPCP: rec'd Configure Nak #6 (Ack-Sent) Mar 29 05:20:58 aragorn ppp: [wan] IPADDR 1xxxxxxxxxxxxxxxxxxx Mar 29 05:20:58 aragorn ppp: [wan] 1xxxxxxxxxxxxxxxxxxx is OK Mar 29 05:20:58 aragorn ppp: [wan] IPCP: SendConfigReq #7 Mar 29 05:20:58 aragorn ppp: [wan] IPADDR 1xxxxxxxxxxxxxxxxxxx Mar 29 05:20:58 aragorn ppp: [wan] IPCP: rec'd Configure Ack #7 (Ack-Sent) Mar 29 05:20:58 aragorn ppp: [wan] IPADDR 1xxxxxxxxxxxxxxxxxxx Mar 29 05:20:58 aragorn ppp: [wan] IPCP: state change Ack-Sent --> Opened Mar 29 05:20:58 aragorn ppp: [wan] IPCP: LayerUp Mar 29 05:20:58 aragorn ppp: [wan] 1xxxxxxxxxxxxxxxxxxx -> provider-gateway-IP Mar 29 05:20:58 aragorn check_reload_status: rc.newwanip starting pppoe0 Mar 29 05:20:59 aragorn ppp: [wan] IFACE: Up event Mar 29 05:20:59 aragorn ppp: [wan] IFACE: Rename interface ng0 to pppoe0 Mar 29 05:20:59 aragorn ppp: [wan] IPV6CP: rec'd Configure Ack #3 (Ack-Sent) Mar 29 05:20:59 aragorn ppp: [wan] IPV6CP: state change Ack-Sent --> Opened Mar 29 05:20:59 aragorn ppp: [wan] IPV6CP: LayerUp Mar 29 05:20:59 aragorn ppp: [wan] 0xxxxxxxxxxxxxxxxxxx -> 1xxxxxxxxxxxxxxxxxxx Mar 29 05:20:59 aragorn check_reload_status: rc.newwanipv6 starting pppoe0 Mar 29 05:20:59 aragorn ppp: [wan_link0] rec'd unexpected protocol IPv6 Mar 29 05:20:59 aragorn php-fpm[64679]: /rc.newwanip: rc.newwanip: Info: starting on pppoe0. Mar 29 05:20:59 aragorn php-fpm[64679]: /rc.newwanip: rc.newwanip: on (IP address: 1xxxxxxxxxxxxxxxxxxx) (interface: DSL[wan]) (real interface: pppoe0). Mar 29 05:21:00 aragorn xinetd[24731]: Starting reconfiguration Mar 29 05:21:00 aragorn xinetd[24731]: Swapping defaults Mar 29 05:21:00 aragorn xinetd[24731]: readjusting service 19000-tcp Mar 29 05:21:00 aragorn xinetd[24731]: readjusting service 19001-tcp Mar 29 05:21:00 aragorn xinetd[24731]: readjusting service 19002-tcp Mar 29 05:21:00 aragorn xinetd[24731]: Reconfigured: new=0 old=3 dropped=0 (services) Mar 29 05:21:00 aragorn php-fpm[34513]: /rc.newwanipv6: rc.newwanipv6: Info: starting on pppoe0. Mar 29 05:21:00 aragorn php-fpm[34513]: /rc.newwanipv6: rc.newwanipv6: No IPv6 address found for interface DSL [wan]. Mar 29 05:21:15 aragorn php-fpm[64679]: /rc.newwanip: Removing static route for monitor 9.9.9.9 and adding a new route through provider-gateway-IP Mar 29 05:21:15 aragorn php-fpm[64679]: /rc.newwanip: Default gateway setting provider IP4-Gateway as default. Mar 29 05:21:15 aragorn php-fpm[64679]: /rc.newwanip: IP Address has changed, killing all states (ip_change_kill_states is set). Mar 29 05:21:27 aragorn php-fpm[64679]: /rc.newwanip: phpDynDNS: updating cache file /conf/dyndns_wan------------'0.cache: 1xxxxxxxxxxxxxxxxxxx Mar 29 05:21:27 aragorn php-fpm[64679]: /rc.newwanip: phpDynDNS (dyndns): (Success) IP Address Changed Successfully! (1xxxxxxxxxxxxxxxxxxx) Mar 29 05:21:28 aragorn php-cgi: notify_monitor.php: Message sent to xx@xx.xx OK Mar 29 05:21:30 aragorn php-fpm[64679]: /rc.newwanip: phpDynDNS: updating cache file /conf/dyndns_wan------------'1.cache: 1xxxxxxxxxxxxxxxxxxx Mar 29 05:21:30 aragorn php-fpm[64679]: /rc.newwanip: phpDynDNS (dyndns): (Success) IP Address Changed Successfully! Mar 29 05:21:31 aragorn php-fpm[64679]: /rc.newwanip: Resyncing OpenVPN instances for interface DSL. Mar 29 05:21:31 aragorn php-fpm[64679]: /rc.newwanip: Creating rrd update script Mar 29 05:21:34 aragorn php-fpm[64679]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 0xxxxxxxxxxxxxxxxxxx -> 1xxxxxxxxxxxxxxxxxxx - Restarting packages. Mar 29 05:21:34 aragorn check_reload_status: Starting packages Mar 29 05:21:35 aragorn php-fpm[34513]: /rc.start_packages: Restarting/Starting all packages. Mar 29 05:21:35 aragorn php-fpm[34513]: lcdproc: Sync: Begin package sync Mar 29 05:21:35 aragorn php-fpm[34513]: lcdproc: Sync: End package sync Mar 29 05:21:35 aragorn LCDd: LCDd version 0.5.9 starting Mar 29 05:21:35 aragorn LCDd: Using Configuration File: /usr/local/etc/LCDd.conf Mar 29 05:21:35 aragorn LCDd: Listening for queries on 127.0.0.1:13666 Mar 29 05:21:38 aragorn php: lcdproc: Start client procedure. Error counter: (0) Mar 29 05:21:38 aragorn php-cgi: notify_monitor.php: Message sent to xx@xx.xx OK Mar 29 05:21:39 aragorn LCDd: Connect from host 127.0.0.1:15632 on socket 6 Mar 29 05:21:40 aragorn check_reload_status: Syncing firewall Mar 29 05:21:40 aragorn check_reload_status: Reloading filter Mar 29 05:21:40 aragorn php-fpm[34513]: [pfBlockerNG] Restarting firewall filter daemon Mar 29 05:21:42 aragorn php: [pfBlockerNG] DNSBL parser daemon started Mar 29 05:21:42 aragorn php_pfb: [pfBlockerNG] filterlog daemon started Mar 29 05:21:42 aragorn xinetd[24731]: Starting reconfiguration Mar 29 05:21:42 aragorn xinetd[24731]: Swapping defaults Mar 29 05:21:42 aragorn xinetd[24731]: readjusting service 19000-tcp Mar 29 05:21:42 aragorn xinetd[24731]: readjusting service 19001-tcp Mar 29 05:21:42 aragorn xinetd[24731]: readjusting service 19002-tcp Mar 29 05:21:42 aragorn xinetd[24731]: Reconfigured: new=0 old=3 dropped=0 (services) Mar 29 05:30:00 aragorn php: [pfBlockerNG] Starting cron process. Mar 29 05:30:06 aragorn php: [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
-
Those log entries indicate either an issue with your provider's subsystem (not the physical layer perhaps, but the logical one instead). Or it could be problems in the PPPoE daemon within pfSense. That area is not within my expertise.
What is puzzling is why, a the end of that log when pfSense logs a "...restarting packages..." command, that I see it restart pfBlockerNG but not Snort. Snort is like every typical package and puts a shell script entry in the
config.xml
file so pfSense can find the shell script and execute Snort service stops and starts. -
@bmeeks said in Snort not restart on interface:
Those log entries indicate either an issue with your provider's subsystem (not the physical layer perhaps, but the logical one instead). Or it could be problems in the PPPoE daemon within pfSense. That area is not within my expertise.
What is puzzling is why, a the end of that log when pfSense logs a "...restarting packages..." command, that I see it restart pfBlockerNG but not Snort. Snort is like every typical package and puts a shell script entry in the
config.xml
file so pfSense can find the shell script and execute Snort service stops and starts.
Thats correct: ```
<rcfile>snort.sh</rcfile>
<executable>snort</executable>Thats why I tried to uninstall and reinstall snort ...
-
@fireodo said in Snort not restart on interface:
Thats why I tried to uninstall and reinstall snort ...
I'm looking into it. Is this behavior something you just noticed after upgrading to 2.4.5?
-
@bmeeks said in Snort not restart on interface:
@fireodo said in Snort not restart on interface:
Thats why I tried to uninstall and reinstall snort ...
I'm looking into it. Is this behavior something you just noticed after upgrading to 2.4.5?
I noticed it after upgrading to 2.4.5 but only because of the coincidence that my provider has initiated a Modem resync in the weekend night (this is usually when they have something to maintain) right after the update but its very possible that this behavior is also in 2.4.4-RELEASE-p3 (all the time i was running this version no resync occured :-)
-
Okay. Give me some time to investigate in a virtual machine. I also have to look into a Suricata problem on aarch64 hardware for the pfSense team, so it may be a day or two. The only thing I can imagine at this point is maybe something is different in the
rc.start_packages
script and I need to make an adjustment to how the Snort package interracts with it. Just a guess at this point, though.However, even should I find an issue there, I still think you having the cron task will eventually be problematic should its execution happen to coincide with a time when pfSense is responding to one of those loss-of-lcp signal issues.
-
@bmeeks said in Snort not restart on interface:
Okay. Give me some time to investigate in a virtual machine. I also have to look into a Suricata problem on aarch64 hardware for the pfSense team, so it may be a day or two. The only thing I can imagine at this point is maybe something is different in the
rc.start_packages
script and I need to make an adjustment to how the Snort package interracts with it. Just a guess at this point, though.However, even should I find an issue there, I still think you having the cron task will eventually be problematic should its execution happen to coincide with a time when pfSense is responding to one of those loss-of-lcp signal issues.
The cron task is normally in the middle of the night (at 2:10) the probability to do the reconnection on a modem resync is like gaining in Lotto :-)
I hope not to put you on a wrong way. Thank you VERY MUCH for your time and pacience!Regards,
fireodo -
I took some time to have a quick look in a 2.4.5 virtual machine before starting on the Suricata issue. I can see nothing wrong with the interraction of Snort and the
rc.start_packages
script. Everything starts and stops fine in the virtual machine. I don't know what exactly it would be, but I now suspect something unique to your setup.Examine your
config.xml
file for the firewall. It should have a section for <installedpackages><service>, and the <service> section for Snort should look like this --<service> <name>snort</name> <rcfile>snort.sh</rcfile> <executable>snort</executable> <description><![CDATA[Snort IDS/IPS Daemon]]></description> </service>
This is the section that the
rc.start_packges
script scans to find the shell script to execute when starting packages. This same script and section gets called when you boot up the firewall as well. Does Snort start by itself on a firewall reboot, or do you have to intervene manually?One thing I suggest you add to your cron task is a command to shut down Snort and then later restart it again from inside the cron task. Use these commands:
/usr/local/etc/rc.d/snort.sh stop sleep 10 /usr/local/etc/rc.d/snort.sh start
The sleep() command is only required if the stop and start are immediately adjacent to each other. I suggest stopping Snort BEFORE you cycle the PPPoE interface, and then starting Snort again only AFTER the PPPoE interface is back up.
-
@bmeeks said in Snort not restart on interface:
I took some time to have a quick look in a 2.4.5 virtual machine before starting on the Suricata issue. I can see nothing wrong with the interraction of Snort and the
rc.start_packages
script. Everything starts and stops fine in the virtual machine. I don't know what exactly it would be, but I now suspect something unique to your setup.Examine your
config.xml
file for the firewall. It should have a section for <installedpackages><service>, and the <service> section for Snort should look like this --<service> <name>snort</name> <rcfile>snort.sh</rcfile> <executable>snort</executable> <description><![CDATA[Snort IDS/IPS Daemon]]></description> </service>
Is exactly so present in my config.
This is the section that the
rc.start_packges
script scans to find the shell script to execute when starting packages. This same script and section gets called when you boot up the firewall as well. Does Snort start by itself on a firewall reboot, or do you have to intervene manually?Snort starts on reboot by itself no need to intervene manually.
One thing I suggest you add to your cron task is a command to shut down Snort and then later restart it again from inside the cron task. Use these commands:
/usr/local/etc/rc.d/snort.sh stop sleep 10 /usr/local/etc/rc.d/snort.sh start
The sleep() command is only required if the stop and start are immediately adjacent to each other. I suggest stopping Snort BEFORE you cycle the PPPoE interface, and then starting Snort again only AFTER the PPPoE interface is back up.
On normal cycling of pppoe connection snort starts correctly and works correctly - only in case of modem loose connection it makes problems.
I added your command to stop/start snort at the end of the /usr/local/sbin/ppp-linkup script and now snort stays functional even if the modem resyncs! I know thats only a workaraound but I can live with it! Good Night!
-
@fireodo said in Snort not restart on interface:
@bmeeks said in Snort not restart on interface:
I took some time to have a quick look in a 2.4.5 virtual machine before starting on the Suricata issue. I can see nothing wrong with the interraction of Snort and the
rc.start_packages
script. Everything starts and stops fine in the virtual machine. I don't know what exactly it would be, but I now suspect something unique to your setup.Examine your
config.xml
file for the firewall. It should have a section for <installedpackages><service>, and the <service> section for Snort should look like this --<service> <name>snort</name> <rcfile>snort.sh</rcfile> <executable>snort</executable> <description><![CDATA[Snort IDS/IPS Daemon]]></description> </service>
Is exactly so present in my config.
This is the section that the
rc.start_packges
script scans to find the shell script to execute when starting packages. This same script and section gets called when you boot up the firewall as well. Does Snort start by itself on a firewall reboot, or do you have to intervene manually?Snort starts on reboot by itself no need to intervene manually.
One thing I suggest you add to your cron task is a command to shut down Snort and then later restart it again from inside the cron task. Use these commands:
/usr/local/etc/rc.d/snort.sh stop sleep 10 /usr/local/etc/rc.d/snort.sh start
The sleep() command is only required if the stop and start are immediately adjacent to each other. I suggest stopping Snort BEFORE you cycle the PPPoE interface, and then starting Snort again only AFTER the PPPoE interface is back up.
On normal cycling of pppoe connection snort starts correctly and works correctly - only in case of modem loose connection it makes problems.
Would it be a good idea to add this command you suggested to the /usr/local/sbin/ppp-linkup script?
I don't think it would hurt anything, but of course it would get wiped out with the next upgrade and you would have to remember to edit the script again.
I'm really not a PPPoE expert. I had DSL way, way back and dealt with PPPoE just a bit back then. But luckily with my carrier at the time, and with the DSL modem I had, I was able to switch over to PPPoA (PPP over ATM). I did that to take advantage of the full 1500-byte MTU instead of having to limit my MTU to 1492.
So you say your modem is in bridge mode, but I don't believe it actually is if you have a
pppoe0
connection in pfsense. Or at least that's not how my DSL modem worked. I put the password and login name in the modem and it handled all the PPP stuff. What I got on the LAN side of the modem was a DHCP address (the public IP assigned by my ISP). Does your modem not support a mode of operation like that? It's been a long time, so maybe that was how the PPPoA worked for me and PPPoE would have been different.Edit: the more I've tried to remember, perhaps I am remembering wrong for PPPoE. Maybe it did put a PPP interface on my pfSense and only the PPPoA mode was DHCP on the firewall side. That was 17 years ago and I can't recall the details now.
-
@bmeeks said in Snort not restart on interface:
@fireodo said in Snort not restart on interface:
@bmeeks said in Snort not restart on interface:
I took some time to have a quick look in a 2.4.5 virtual machine before starting on the Suricata issue. I can see nothing wrong with the interraction of Snort and the
rc.start_packages
script. Everything starts and stops fine in the virtual machine. I don't know what exactly it would be, but I now suspect something unique to your setup.Examine your
config.xml
file for the firewall. It should have a section for <installedpackages><service>, and the <service> section for Snort should look like this --<service> <name>snort</name> <rcfile>snort.sh</rcfile> <executable>snort</executable> <description><![CDATA[Snort IDS/IPS Daemon]]></description> </service>
Is exactly so present in my config.
This is the section that the
rc.start_packges
script scans to find the shell script to execute when starting packages. This same script and section gets called when you boot up the firewall as well. Does Snort start by itself on a firewall reboot, or do you have to intervene manually?Snort starts on reboot by itself no need to intervene manually.
One thing I suggest you add to your cron task is a command to shut down Snort and then later restart it again from inside the cron task. Use these commands:
/usr/local/etc/rc.d/snort.sh stop sleep 10 /usr/local/etc/rc.d/snort.sh start
The sleep() command is only required if the stop and start are immediately adjacent to each other. I suggest stopping Snort BEFORE you cycle the PPPoE interface, and then starting Snort again only AFTER the PPPoE interface is back up.
On normal cycling of pppoe connection snort starts correctly and works correctly - only in case of modem loose connection it makes problems.
Would it be a good idea to add this command you suggested to the /usr/local/sbin/ppp-linkup script?
I don't think it would hurt anything, but of course it would get wiped out with the next upgrade and you would have to remember to edit the script again.
That I have to do, thats no problem ... :-)
-
the more i think about it the more i find it strange
i put up a virtual machine and tested it myself
Mar 31 20:38:27 php-fpm 95633 /rc.start_packages: Restarting/Starting all packages. Mar 31 20:38:26 check_reload_status 381 Starting packages Mar 31 20:38:26 php-fpm 343 /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 192.168.78.2 -> 192.168.78.2 - Restarting packages. Mar 31 20:38:24 php-fpm 343 /rc.newwanip: Creating rrd update script Mar 31 20:38:24 php-fpm 343 /rc.newwanip: Resyncing OpenVPN instances for interface OPT1. Mar 31 20:38:21 php-fpm 343 /rc.newwanip: rc.newwanip: on (IP address: 192.168.78.2) (interface: OPT1[opt1]) (real interface: pppoe0). Mar 31 20:38:21 php-fpm 343 /rc.newwanip: rc.newwanip: Info: starting on pppoe0. Mar 31 20:38:20 ppp 12008 [opt1] IFACE: Rename interface ng0 to pppoe0 Mar 31 20:38:20 ppp 12008 [opt1] IFACE: Up event Mar 31 20:38:20 check_reload_status 381 rc.newwanip starting pppoe0 Mar 31 20:38:19 check_reload_status 381 Rewriting resolv.conf Mar 31 20:38:19 ppp 12008 [opt1] 192.168.78.2 -> 192.168.77.1 Mar 31 20:38:19 ppp 12008 [opt1] IPCP: LayerUp Mar 31 20:38:19 ppp 12008 [opt1] IPCP: state change Ack-Sent --> Opened Mar 31 20:38:19 ppp 12008 [opt1] PRIDNS 172.17.0.100 Mar 31 20:38:19 ppp 12008 [opt1] IPADDR 192.168.78.2 Mar 31 20:38:19 ppp 12008 [opt1] IPCP: rec'd Configure Ack #8 (Ack-Sent) Mar 31 20:38:19 ppp 12008 [opt1] PRIDNS 172.17.0.100 Mar 31 20:38:19 ppp 12008 [opt1] IPADDR 192.168.78.2 Mar 31 20:38:19 ppp 12008 [opt1] IPCP: SendConfigReq #8 Mar 31 20:38:19 ppp 12008 [opt1] PRIDNS 172.17.0.100 Mar 31 20:38:19 ppp 12008 [opt1] 192.168.78.2 is OK Mar 31 20:38:19 ppp 12008 [opt1] IPADDR 192.168.78.2 Mar 31 20:38:19 ppp 12008 [opt1] IPCP: rec'd Configure Nak #7 (Ack-Sent) Mar 31 20:38:19 ppp 12008 [opt1] PRIDNS 0.0.0.0 Mar 31 20:38:19 ppp 12008 [opt1] IPADDR 0.0.0.0 Mar 31 20:38:19 ppp 12008 [opt1] IPCP: SendConfigReq #7 Mar 31 20:38:19 ppp 12008 [opt1] SECDNS 0.0.0.0 Mar 31 20:38:19 ppp 12008 [opt1] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid Mar 31 20:38:19 ppp 12008 [opt1] IPCP: rec'd Configure Reject #6 (Ack-Sent) Mar 31 20:38:19 ppp 12008 [opt1_link0] rec'd unexpected protocol CCP, rejecting Mar 31 20:38:19 ppp 12008 [opt1] IPCP: state change Req-Sent --> Ack-Sent Mar 31 20:38:19 ppp 12008 [opt1] IPADDR 192.168.77.1 Mar 31 20:38:19 ppp 12008 [opt1] IPCP: SendConfigAck #1 Mar 31 20:38:19 ppp 12008 [opt1] 192.168.77.1 is OK Mar 31 20:38:19 ppp 12008 [opt1] IPADDR 192.168.77.1 Mar 31 20:38:19 ppp 12008 [opt1] IPCP: rec'd Configure Request #1 (Req-Sent) Mar 31 20:38:19 ppp 12008 [opt1] SECDNS 0.0.0.0 Mar 31 20:38:19 ppp 12008 [opt1] PRIDNS 0.0.0.0 Mar 31 20:38:19 ppp 12008 [opt1] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid Mar 31 20:38:19 ppp 12008 [opt1] IPADDR 0.0.0.0 Mar 31 20:38:19 ppp 12008 [opt1] IPCP: SendConfigReq #6 Mar 31 20:38:19 ppp 12008 [opt1] IPCP: state change Starting --> Req-Sent Mar 31 20:38:19 ppp 12008 [opt1] IPCP: Up event Mar 31 20:38:19 ppp 12008 [opt1] IPCP: LayerStart Mar 31 20:38:19 ppp 12008 [opt1] IPCP: state change Initial --> Starting Mar 31 20:38:19 ppp 12008 [opt1] IPCP: Open event Mar 31 20:38:19 ppp 12008 [opt1] Bundle: Status update: up 1 link, total bandwidth 64000 bps Mar 31 20:38:19 ppp 12008 [opt1_link0] Link: Join bundle "opt1" Mar 31 20:38:19 ppp 12008 [opt1_link0] Link: Matched action 'bundle "opt1" ""' Mar 31 20:38:19 ppp 12008 [opt1_link0] LCP: authorization successful Mar 31 20:38:19 ppp 12008 [opt1_link0] MESG: Welcome Mar 31 20:38:19 ppp 12008 [opt1_link0] PAP: rec'd ACK #1 len: 12 Mar 31 20:38:19 ppp 12008 [opt1_link0] LCP: LayerUp Mar 31 20:38:19 ppp 12008 [opt1_link0] PAP: sending REQUEST #1 len: 14 Mar 31 20:38:19 ppp 12008 [opt1_link0] PAP: using authname "test" Mar 31 20:38:19 ppp 12008 [opt1_link0] LCP: auth: peer wants PAP, I want nothing Mar 31 20:38:19 ppp 12008 [opt1_link0] LCP: state change Ack-Sent --> Opened Mar 31 20:38:19 ppp 12008 [opt1_link0] MAGICNUM 0xe92dbee8 Mar 31 20:38:19 ppp 12008 [opt1_link0] MRU 1492 Mar 31 20:38:19 ppp 12008 [opt1_link0] PROTOCOMP Mar 31 20:38:19 ppp 12008 [opt1_link0] LCP: rec'd Configure Ack #3 (Ack-Sent) Mar 31 20:38:19 ppp 12008 [opt1_link0] LCP: state change Req-Sent --> Ack-Sent Mar 31 20:38:19 ppp 12008 [opt1_link0] AUTHPROTO PAP Mar 31 20:38:19 ppp 12008 [opt1_link0] MAGICNUM 0xe7f15140 Mar 31 20:38:19 ppp 12008 [opt1_link0] MRU 1492 Mar 31 20:38:19 ppp 12008 [opt1_link0] PROTOCOMP Mar 31 20:38:19 ppp 12008 [opt1_link0] LCP: SendConfigAck #1 Mar 31 20:38:19 ppp 12008 [opt1_link0] AUTHPROTO PAP Mar 31 20:38:19 ppp 12008 [opt1_link0] MAGICNUM 0xe7f15140 Mar 31 20:38:19 ppp 12008 [opt1_link0] MRU 1492 Mar 31 20:38:19 ppp 12008 [opt1_link0] PROTOCOMP Mar 31 20:38:19 ppp 12008 [opt1_link0] LCP: rec'd Configure Request #1 (Req-Sent) Mar 31 20:38:19 ppp 12008 [opt1_link0] MAGICNUM 0xe92dbee8 Mar 31 20:38:19 ppp 12008 [opt1_link0] MRU 1492 Mar 31 20:38:19 ppp 12008 [opt1_link0] PROTOCOMP Mar 31 20:38:19 ppp 12008 [opt1_link0] LCP: SendConfigReq #3 Mar 31 20:38:19 ppp 12008 [opt1_link0] LCP: state change Starting --> Req-Sent Mar 31 20:38:19 ppp 12008 [opt1_link0] LCP: Up event Mar 31 20:38:19 ppp 12008 [opt1_link0] Link: UP event Mar 31 20:38:19 ppp 12008 [opt1_link0] PPPoE: connection successful Mar 31 20:38:19 ppp 12008 PPPoE: rec'd ACNAME "pfSense.kiokoman.home" Mar 31 20:38:17 ppp 12008 [opt1_link0] PPPoE: Connecting to '' Mar 31 20:38:17 ppp 12008 [opt1_link0] Link: reconnection attempt 20 Mar 31 20:38:13 ppp 12008 [opt1_link0] Link: reconnection attempt 20 in 4 seconds ...... Mar 31 20:34:31 ppp 12008 [opt1] IPCP: LayerFinish Mar 31 20:34:31 ppp 12008 [opt1] IPCP: Down event Mar 31 20:34:31 ppp 12008 [opt1] IPCP: state change Stopping --> Closing Mar 31 20:34:31 ppp 12008 [opt1] IPCP: Close event Mar 31 20:34:31 ppp 12008 [opt1] Bundle: Status update: up 0 links, total bandwidth 9600 bps Mar 31 20:34:31 ppp 12008 [opt1_link0] Link: Leave bundle "opt1" Mar 31 20:34:31 ppp 12008 [opt1_link0] LCP: state change Opened --> Stopping Mar 31 20:34:31 ppp 12008 [opt1_link0] LCP: rec'd Terminate Request #2 (Opened) Mar 31 20:34:31 ppp 12008 [opt1] IFACE: Rename interface pppoe0 to pppoe0 Mar 31 20:34:31 ppp 12008 [opt1] IFACE: Down event Mar 31 20:34:31 check_reload_status 381 Rewriting resolv.conf Mar 31 20:34:30 ppp 12008 [opt1] IPCP: LayerDown Mar 31 20:34:30 ppp 12008 [opt1] IPCP: SendTerminateAck #5 Mar 31 20:34:30 ppp 12008 [opt1] IPCP: state change Opened --> Stopping Mar 31 20:34:30 ppp 12008 [opt1] IPCP: rec'd Terminate Request #3 (Opened) Mar 31 20:25:07 kernel pppoe0: promiscuous mode enabled Mar 31 20:25:07 SnortStartup 5730 Snort START for pppoe(pppoe0)... Mar 31 20:25:07 php-fpm 95633 /rc.start_packages: Restarting/Starting all packages. Mar 31 20:25:06 check_reload_status 381 Starting packages Mar 31 20:25:06 php-fpm 344 /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 192.168.78.2 -> 192.168.78.2 - Restarting packages. Mar 31 20:25:04 php-fpm 344 /rc.newwanip: Creating rrd update script Mar 31 20:25:04 php-fpm 344 /rc.newwanip: Resyncing OpenVPN instances for interface OPT1. Mar 31 20:25:00 php-fpm 344 /rc.newwanip: rc.newwanip: on (IP address: 192.168.78.2) (interface: OPT1[opt1]) (real interface: pppoe0). Mar 31 20:25:00 php-fpm 344 /rc.newwanip: rc.newwanip: Info: starting on pppoe0. Mar 31 20:24:59 ppp 12008 [opt1] IFACE: Rename interface ng0 to pppoe0 Mar 31 20:24:59 ppp 12008 [opt1] IFACE: Up event Mar 31 20:24:59 check_reload_status 381 rc.newwanip starting pppoe0 Mar 31 20:24:58 check_reload_status 381 Rewriting resolv.conf Mar 31 20:24:58 ppp 12008 [opt1] 192.168.78.2 -> 192.168.77.1
snort start correctly, does not matter if i stop the pppoe server or i stop the pppoe client
but as you can see " IFACE Rename interface ng0 to pppoe" is present
this is mpd5 doing
it's not snort at fault here, you should investigate why the pppoe interface disappear leadig snort to stop working, and i don't think it's the only problem you will get from it
the test was done under pfSense 2.5.0, maybe i will try tomorrow with a new vm with 2.4.5 -
@kiokoman said in Snort not restart on interface:
the more i think about it the more i find it strange
it's not snort at fault here, you should investigate why the pppoe interface disappear leadig snort to stop working, and i don't think it's the only problem you will get from itI'll keep an eye on it!
the test was done under pfSense 2.5.0, maybe i will try tomorrow with a new vm with 2.4.5
OK, lets see what happends
Thanks for your effort!
fireodo -
@kiokoman, thank you for the testing. I too am intrigued by why the interface disappears. That will obviously confuse Snort when it can't find the interface it is configured to sniff.
Initially I thought Snort was just a victim here, but I decided to look into other possibilities. However, that search and my own testing led me to think Snort is not really at fault here.