Cron job for hourly restart of Snort
-
Hi all, I'm having an issue with pfSense blocking all internet traffic which I've been able to resolve by rebooting the pfSense machine. On further investigation I found Snort appears to be the culprit. I don't know the root cause but I do know restarting Snort fixes the problem. I would like to create a cron job that restarts snort on an hourly basis but don't know what command is. I'm a linux dummy so I'm not familiar with cron either. Can anyone help me?
Thanks,
Jon -
Service Watchdog is the package to restart stuff.
But @bmeeks doesn't recommend it.
https://forum.netgate.com/topic/113485/snort-keeps-stopping
I'd look into the reason why you think it's snort.
-
Found out the root cause and fix that. Restarting a package every hour is not helpful. What will you do if the problem starts occurring every 15 minutes?
Give us some information about your setup.
-
Are you running on bare metal or is this a VM?
-
What versions of pfSense and the Snort package are you running?
-
Have you looked in the pfSense system log to see if any relevant messages are being logged around the time of the interruption?
Restarting Snort every hour is foolish. You would be better off to simply remove the package and abandon using it. However, if you want to restart it, the shell script and required argument is:
/usr/local/bin/snort.sh restart -
-
I'm running on bare metal; the version of pfSense is 2.4.5-RELEASE (amd64) and Snort is at version 3.2.9.11. I haven't checked the logs but will take a look to see and report on it later today.https://forum.netgate.com/topic/153269/cron-job-for-hourly-restart-of-snort/3#
-
@JSmorada said in Cron job for hourly restart of Snort:
I'm running on bare metal; the version of pfSense is 2.4.5-RELEASE (amd64) and Snort is at version 3.2.9.11. I haven't checked the logs but will take a look to see and report on it later today.https://forum.netgate.com/topic/153269/cron-job-for-hourly-restart-of-snort/3#
Have you looked to see if any alerts are occurring from Snort? What IP addresses are shown as being blocked (if you have blocking enabled)?
The fact you say a restart of Snort solves the issue is not consistent with Snort blocking because restarting Snort will NOT remove any existing blocks. Blocks, once inserted, remain until the IP addresses are removed from the snort2c table. That happens only via three things: (1) a manual clearing of the table by the user; (2) the periodic "Remove Blocked Hosts" cron task executes if enabled; (3) or a reboot of pfSense itself.
So based on the above, are you 100% sure Snort is the cause of your issue? Do you have any other package running on your firewall?
What type of NIC do you have? One thing that restarting Snort would do is "tickle" the NIC driver due to the libpcap library tearing down and recreating a subscription for copies of packets and placing the NIC in and out of promiscuous mode. However, that would indicate an issue with the NIC or its driver and not a problem with Snort.
What happens if you leave Snort disabled for say a day? Do you have any connection problems then? That is one way to narrow down the issue. If you leave Snort disabled and still have a network interruption after some period, that would certainly clear Snort of being responsible.
