various snort proccess
-
how can i avoid multiple snort processes, stop the snort interface and it keeps alerting...add a rule or remove a blocked host and get blocked again...
i restart my pfsense but it continues to start various snort processes`
PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND 11 root 187 ki31 0B 48K CPU1 1 7:43 100.00% [idle{idle: cpu1}] 11 root 187 ki31 0B 48K RUN 2 7:49 98.97% [idle{idle: cpu2}] 11 root 187 ki31 0B 48K CPU0 0 7:48 98.97% [idle{idle: cpu0}] 74992 root 20 0 1231M 894M nanslp 0 0:11 0.00% /usr/local/bin/snort -R _30731 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_vmx030731 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 30731 -c /usr/local/etc/snort/snort_30731_vmx0/snort.conf -i vmx0{snort} 0 root -16 - 0B 576K swapin 2 0:10 0.00% [kernel{swapper}] 4 root -16 - 0B 48K - 0 0:03 0.00% [cam{scanner}] 82079 unbound 20 0 163M 132M kqread 2 0:02 0.00% /usr/local/sbin/unbound -c /var/unbound/unbound.conf{unbound} 74992 root 20 0 1231M 894M bpf 1 0:01 0.00% /usr/local/bin/snort -R _30731 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_vmx030731 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 30731 -c /usr/local/etc/snort/snort_30731_vmx0/snort.conf -i vmx0{snort} 58393 root 20 0 74M 44M piperd 2 0:01 0.00% /usr/local/bin/php_pfb -f /usr/local/pkg/pfblockerng/pfblockerng.inc filterlog 368 root 68 0 147M 48M accept 2 0:01 0.00% php-fpm: pool nginx (php-fpm) 367 root 68 0 147M 49M accept 0 0:00 0.00% php-fpm: pool nginx (php-fpm) 27819 root 20 0 46M 19M kqread 0 0:00 0.00% /usr/local/sbin/haproxy -f /var/etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -D{haproxy} 25023 root 21 0 113M 41M piperd 1 0:00 0.00% php-fpm: pool nginx (php-fpm) 0 root -60 - 0B 576K - 0 0:00 0.00% [kernel{if_io_tqg_0}] 4 root -16 - 0B 48K - 0 0:00 0.00% [cam{async}] 91947 root 20 0 638M 510M bpf 0 0:00 0.00% /usr/local/bin/snort -R _13122 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_vmx113122 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 13122 -c /usr/local/etc/snort/snort_13122_vmx1/snort.conf -i vmx1{snort} 27819 root 20 0 46M 19M kqread 2 0:00 0.00% /usr/local/sbin/haproxy -f /var/etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -D{haproxy} 96997 root 68 0 147M 46M accept 0 0:00 0.00% php-fpm: pool nginx (php-fpm) 12 root -60 - 0B 736K WAIT 0 0:00 0.00% [intr{swi1: netisr 1}] 61676 root 20 0 28M 7004K select 2 0:00 0.00% /usr/local/bin/vmtoolsd -c /usr/local/share/vmware-tools/tools.conf -p /usr/local/lib/open-vm-tools/plugins/vmsvc{vmtoolsd} 12 root -60 - 0B 736K WAIT 2 0:00 0.00% [intr{swi1: netisr 2}] 82079 unbound 20 0 163M 132M kqread 0 0:00 0.00% /usr/local/sbin/unbound -c /var/unbound/unbound.conf{unbound} 12 root -60 - 0B 736K WAIT 0 0:00 0.00% [intr{swi1: netisr 0}] 82079 unbound 20 0 163M 132M kqread 1 0:00 0.00% /usr/local/sbin/unbound -c /var/unbound/unbound.conf{unbound} 68164 root 20 0 17M 2832K nanslp 0 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i DEFAULT_GATEWAY -B 208.87.243.74 -p /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.pid -u /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 208.87.243.73{dpinger} 0 root -60 - 0B 576K - 1 0:00 0.00% [kernel{if_io_tqg_1}] 9 root -16 - 0B 48K psleep 2 0:00 0.00% [pagedaemon{dom0}] 2 root -60 - 0B 48K WAIT 0 0:00 0.00% [clock{clock (0)}] 78665 root 20 0 32M 9856K kqread 0 0:00 0.00% nginx: worker process (nginx) 59367 root 68 0 71M 43M piperd 2 0:00 0.00% /usr/local/bin/php -f /usr/local/pkg/pfblockerng/pfblockerng.inc index 12 root -64 - 0B 736K WAIT 1 0:00 0.00% [intr{irq26: mpt0}] 58940 root 68 0 71M 43M piperd 0 0:00 0.00% /usr/local/bin/php -f /usr/local/pkg/pfblockerng/pfblockerng.inc dnsbl 0 root -60 - 0B 576K - 2 0:00 0.00% [kernel{if_io_tqg_2}] 7 root -16 - 0B 16K pftm 0 0:00 0.00% [pf purge] 21347 squid 20 0 174M 43M kqread 1 0:00 0.00% (squid-1) --kid squid-1 -f /usr/local/etc/squid/squid.conf (squid) 4 root -16 - 0B 48K - 2 0:00 0.00% [cam{doneq0}] 8 root -16 - 0B 16K - 2 0:00 0.00% [rand_harvestq] 68342 root 20 0 21M 2928K nanslp 2 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i WAN_GW -B 208.87.243.74 -p /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.pid -u /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 23.238.130.161{dpinger} 27173 root 68 20 13M 2804K wait 0 0:00 0.00% /bin/sh /var/db/rrd/updaterrd.sh 50788 root 20 0 13M 3464K bpf 1 0:00 0.00% /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid 68827 root 20 0 21M 2928K nanslp 2 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i WANGW_3 -B 208.87.243.74 -p /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.pid -u /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 104.149.157.73{dpinger} 48381 root 20 0 22M 8108K select 1 0:00 0.00% /usr/local/sbin/openvpn --config /var/etc/openvpn/server2/config.ovpn{openvpn} 52449 root 20 0 13M 2932K select 1 0:00 0.00% /usr/sbin/syslogd -O rfc3164 -s -c -c -l /var/dhcpd/var/run/log -l /tmp/haproxy_chroot/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf 77905 root 20 0 21M 7080K select 2 0:00 0.00% /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid{ntpd} 58380 root 20 0 12M 2320K kqread 0 0:00 0.00% /usr/bin/tail_pfb -n0 -F /var/log/filter.log 569 root 20 0 14M 3724K select 2 0:00 0.00% /sbin/devd -q -f /etc/pfSense-devd.conf 12 root -64 - 0B 736K WAIT 2 0:00 0.00% [intr{irq24: ahci0}] 12 root -64 - 0B 736K WAIT 0 0:00 0.00% [intr{irq1: atkbd0}] 19 root 16 - 0B 16K syncer 1 0:00 0.00% [syncer] 366 root 20 0 111M 27M kqread 2 0:00 0.00% php-fpm: master process (/usr/local/lib/php-fpm.conf) (php-fpm) 17 root 20 - 0B 64K sdflus 1 0:00 0.00% [bufdaemon{/ worker}] 405 root 52 20 13M 2744K kqread 1 0:00 0.00% /usr/local/sbin/check_reload_status 58729 root 20 0 18M 7804K kqread 1 0:00 0.00% /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf 61676 root 20 0 28M 7004K uwait 0 0:00 0.00% /usr/local/bin/vmtoolsd -c /usr/local/share/vmware-tools/tools.conf -p /usr/local/lib/open-vm-tools/plugins/vmsvc{HangDetector} 29119 root 20 0 18M 7472K select 1 0:00 0.00% /usr/local/sbin/openvpn --config /var/etc/openvpn/server1/config.ovpn{openvpn} 85039 dhcpd 20 0 25M 12M select 1 0:00 0.00% /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid vmx1 91947 root 20 0 638M 510M nanslp 0 0:00 0.00% /usr/local/bin/snort -R _13122 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_vmx113122 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 13122 -c /usr/local/etc/snort/snort_13122_vmx1/snort.conf -i vmx1{snort} 68164 root 20 0 17M 2832K nanslp 2 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i DEFAULT_GATEWAY -B 208.87.243.74 -p /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.pid -u /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 208.87.243.73{dpinger} 68827 root 20 0 21M 2928K nanslp 2 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i WANGW_3 -B 208.87.243.74 -p /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.pid -u /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 104.149.157.73{dpinger} 68342 root 20 0 21M 2928K nanslp 1 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i WAN_GW -B 208.87.243.74 -p /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.pid -u /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 23.238.130.161{dpinger} 2 root -60 - 0B 48K WAIT 1 0:00 0.00% [clock{clock (1)}] 14 root -8 - 0B 48K - 1 0:00 0.00% [geom{g_event}] 68164 root 20 0 17M 2832K accept 0 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i DEFAULT_GATEWAY -B 208.87.243.74 -p /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.pid -u /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 208.87.243.73{dpinger} 21857 root 26 0 13M 2576K wait 1 0:00 0.00% /bin/sh /usr/local/pkg/sqpmon.sh 1 root 20 0 11M 1144K wait 0 0:00 0.00% [init] 95464 root 20 0 13M 2640K nanslp 0 0:00 0.00% /usr/sbin/cron -s 23724 squid 68 0 16M 4176K piperd 1 0:00 0.00% (unlinkd) (unlinkd) 0 root 8 - 0B 576K - 1 0:00 0.00% [kernel{thread taskq}] 57867 root 21 0 14M 3300K CPU2 2 0:00 0.00% /usr/bin/top -baHS 999 17 root -16 - 0B 64K - 1 0:00 0.00% [bufdaemon{bufspacedaemon-0}] 18 root -16 - 0B 16K vlruwt 1 0:00 0.00% [vnlru] 17 root -16 - 0B 64K psleep 1 0:00 0.00% [bufdaemon{bufdaemon}] 12 root -60 - 0B 736K WAIT 1 0:00 0.00% [intr{swi6: task queue}] 18804 squid 68 0 88M 14M wait 1 0:00 0.00% /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf 9 root -16 - 0B 48K umarcl 2 0:00 0.00% [pagedaemon{uma}] 17 root -16 - 0B 64K - 1 0:00 0.00% [bufdaemon{bufspacedaemon-1}] 2 root -60 - 0B 48K WAIT 2 0:00 0.00% [clock{clock (2)}] 55826 root 68 0 13M 2264K ttyin 2 0:00 0.00% /usr/libexec/getty Pc ttyv0 57141 root 68 0 13M 2264K ttyin 1 0:00 0.00% /usr/libexec/getty Pc ttyv7 56657 root 68 0 13M 2272K ttyin 1 0:00 0.00% /usr/libexec/getty Pc ttyv4 56490 root 68 0 13M 2268K ttyin 2 0:00 0.00% /usr/libexec/getty Pc ttyv3 68342 root 20 0 21M 2928K accept 0 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i WAN_GW -B 208.87.243.74 -p /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.pid -u /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 23.238.130.161{dpinger} 56978 root 68 0 13M 2264K ttyin 0 0:00 0.00% /usr/libexec/getty Pc ttyv5 56363 root 68 0 13M 2260K ttyin 0 0:00 0.00% /usr/libexec/getty Pc ttyv2 57043 root 68 0 13M 2268K ttyin 2 0:00 0.00% /usr/libexec/getty Pc ttyv6 56162 root 68 0 13M 2264K ttyin 1 0:00 0.00% /usr/libexec/getty Pc ttyv1 78531 root 21 0 29M 8520K kqread 0 0:00 0.00% nginx: worker process (nginx) 68827 root 20 0 21M 2928K accept 2 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i WANGW_3 -B 208.87.243.74 -p /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.pid -u /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 104.149.157.73{dpinger} 78324 root 34 0 29M 7992K pause 0 0:00 0.00% nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-webConfigurator.conf (nginx) 68827 root 68 0 21M 2928K uwait 2 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i WANGW_3 -B 208.87.243.74 -p /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.pid -u /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 104.149.157.73{dpinger} 53193 root 68 20 12M 2080K nanslp 1 0:00 0.00% sleep 60 61174 root 40 0 20M 8500K select 2 0:00 0.00% sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups (sshd) 68164 root 68 0 17M 2832K uwait 2 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i DEFAULT_GATEWAY -B 208.87.243.74 -p /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.pid -u /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 208.87.243.73{dpinger} 56787 root 26 0 12M 2084K nanslp 2 0:00 0.00% sleep 55 0 root -60 - 0B 576K - 1 0:00 0.00% [kernel{softirq_1}] 68342 root 68 0 21M 2928K uwait 2 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i WAN_GW -B 208.87.243.74 -p /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.pid -u /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 23.238.130.161{dpinger} 0 root -60 - 0B 576K - 2 0:00 0.00% [kernel{softirq_2}] 38896 root 36 0 59M 4496K usem 2 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{merge-thread} 0 root 8 - 0B 576K - 1 0:00 0.00% [kernel{linuxkpi_irq_wq}] 48381 root 20 0 22M 8108K kqread 1 0:00 0.00% /usr/local/sbin/openvpn --config /var/etc/openvpn/server2/config.ovpn{openvpn} 407 root 68 20 13M 2552K kqread 0 0:00 0.00% check_reload_status: Monitoring daemon of check_reload_status (check_reload_status) 0 root -60 - 0B 576K - 0 0:00 0.00% [kernel{softirq_0}] 54401 root 21 0 12M 2188K nanslp 0 0:00 0.00% minicron: helper /usr/local/bin/ipsec_keepalive.php (minicron) 53474 root 20 0 12M 2188K nanslp 0 0:00 0.00% minicron: helper /usr/local/bin/ping_hosts.sh (minicron) 14 root -8 - 0B 48K - 1 0:00 0.00% [geom{g_up}] 54787 root 68 0 12M 2168K wait 1 0:00 0.00% /usr/local/bin/minicron 3600 /var/run/expire_accounts.pid /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts 55184 root 68 0 12M 2164K wait 1 0:00 0.00% /usr/local/bin/minicron 86400 /var/run/update_alias_url_data.pid /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data 53273 root 68 0 12M 2168K wait 1 0:00 0.00% /usr/local/bin/minicron 240 /var/run/ping_hosts.pid /usr/local/bin/ping_hosts.sh 54147 root 68 0 12M 2168K wait 1 0:00 0.00% /usr/local/bin/minicron 300 /var/run/ipsec_keepalive.pid /usr/local/bin/ipsec_keepalive.php 38896 root 20 0 59M 4496K usem 1 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{110} 55395 root 68 0 12M 2188K nanslp 1 0:00 0.00% minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data (minicron) 38896 root 20 0 59M 4496K usem 0 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{25} 55164 root 68 0 12M 2192K nanslp 1 0:00 0.00% minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts (minicron) 14 root -8 - 0B 48K - 1 0:00 0.00% [geom{g_down}] 38896 root 20 0 59M 4496K usem 1 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{995} 38896 root 68 0 59M 4496K usem 2 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns} 38896 root 68 0 59M 4496K usem 0 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns} 38896 root 20 0 59M 4496K usem 1 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{993} 38896 root 20 0 59M 4496K usem 0 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{465} 0 root 8 - 0B 576K - 0 0:00 0.00% [kernel{acpi_task_1}] 0 root -60 - 0B 576K - 2 0:00 0.00% [kernel{mca taskq}] 38896 root 68 0 59M 4496K usem 0 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns} 38896 root 68 0 59M 4496K usem 2 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns} 61676 root 68 0 28M 7004K uwait 2 0:00 0.00% /usr/local/bin/vmtoolsd -c /usr/local/share/vmware-tools/tools.conf -p /usr/local/lib/open-vm-tools/plugins/vmsvc{pool-spawner} 0 root -8 - 0B 576K - 2 0:00 0.00% [kernel{CAM taskq}] 38896 root 20 0 59M 4496K usem 1 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{143} 38896 root 68 0 59M 4496K usem 0 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns} 38896 root 53 0 59M 4496K usem 2 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns} 38896 root 20 0 59M 4496K usem 0 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{587} 6 root -16 - 0B 16K idle 0 0:00 0.00% [mpt_recovery0] 38896 root 68 0 59M 4496K usem 2 0:00 0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns} 74992 root 23 0 1231M 894M sbwait 0 0:00 0.00% /usr/local/bin/snort -R _30731 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_vmx030731 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 30731 -c /usr/local/etc/snort/snort_30731_vmx0/snort.conf -i vmx0{snort} 29119 root 68 0 18M 7472K kqread 1 0:00 0.00% /usr/local/sbin/openvpn --config /var/etc/openvpn/server1/config.ovpn{openvpn} 16 root -16 - 0B 16K psleep 2 0:00 0.00% [vmdaemon] 68342 root 68 0 21M 2928K sbwait 2 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i WAN_GW -B 208.87.243.74 -p /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.pid -u /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 23.238.130.161{dpinger} 0 root 8 - 0B 576K - 1 0:00 0.00% [kernel{acpi_task_2}] 0 root 8 - 0B 576K - 2 0:00 0.00% [kernel{firmware taskq}] 0 root 8 - 0B 576K - 2 0:00 0.00% [kernel{inm_free taskq}] 9 root -16 - 0B 48K launds 0 0:00 0.00% [pagedaemon{laundry: dom0}] 68827 root 68 0 21M 2928K sbwait 0 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i WANGW_3 -B 208.87.243.74 -p /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.pid -u /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 104.149.157.73{dpinger} 0 root 8 - 0B 576K - 2 0:00 0.00% [kernel{linuxkpi_long_wq_3}] 0 root 8 - 0B 576K - 2 0:00 0.00% [kernel{mlx4}] 20 root -16 - 0B 16K aldslp 0 0:00 0.00% [ALQ Daemon] 10 root -16 - 0B 16K audit_ 2 0:00 0.00% [audit] 68164 root 68 0 17M 2832K sbwait 0 0:00 0.00% /usr/local/bin/dpinger -S -r 0 -i DEFAULT_GATEWAY -B 208.87.243.74 -p /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.pid -u /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 208.87.243.73{dpinger} -
There are several checks within the Snort shell startup script that attempt to prevent multiple processes. But if something on your firewall is making interfaces come up and down rapidly, that will cause pfSense to continually fire the "restart all packages" script. That script in turn will call the Snort shell startup script in
/usr/local/etc/rc.d/each time it runs. Multiple calls to that script in quick succession can lead to multiple processes despite the attempted checks.You need to find out if the above scenario is the case, and if so, fix that underlying issue that is causing the script to be called repeatedly.
Another possibility is the use of the Service Watchdog package to monitor Snort. That package and Snort are not compatible. Service Watchdog should never be configured to watch Snort. The package does not understand how Snort works internally and will needlessly start multiple instances because it will think Snort is not running when it actually already is.
Look in the pfSense system log and see if you find messages about "restarting all packages". If so, you need to find out why that script is being triggered. If you are using Service Watchdog with Snort, remove Snort from the list of monitored services in Service Watchdog.
-
@bmeeks thanks for point me to right direction!
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.