Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    various snort proccess

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    3
    192
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luisenrique
      last edited by luisenrique

      how can i avoid multiple snort processes, stop the snort interface and it keeps alerting...add a rule or remove a blocked host and get blocked again...
      i restart my pfsense but it continues to start various snort processes

      `

      PID USERNAME    PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
 11 root        187 ki31     0B    48K CPU1     1   7:43 100.00% [idle{idle: cpu1}]
 11 root        187 ki31     0B    48K RUN      2   7:49  98.97% [idle{idle: cpu2}]
 11 root        187 ki31     0B    48K CPU0     0   7:48  98.97% [idle{idle: cpu0}]
74992 root         20    0  1231M   894M nanslp   0   0:11   0.00% /usr/local/bin/snort -R _30731 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_vmx030731 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 30731 -c /usr/local/etc/snort/snort_30731_vmx0/snort.conf -i vmx0{snort}
  0 root        -16    -     0B   576K swapin   2   0:10   0.00% [kernel{swapper}]
  4 root        -16    -     0B    48K -        0   0:03   0.00% [cam{scanner}]
82079 unbound      20    0   163M   132M kqread   2   0:02   0.00% /usr/local/sbin/unbound -c /var/unbound/unbound.conf{unbound}
74992 root         20    0  1231M   894M bpf      1   0:01   0.00% /usr/local/bin/snort -R _30731 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_vmx030731 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 30731 -c /usr/local/etc/snort/snort_30731_vmx0/snort.conf -i vmx0{snort}
58393 root         20    0    74M    44M piperd   2   0:01   0.00% /usr/local/bin/php_pfb -f /usr/local/pkg/pfblockerng/pfblockerng.inc filterlog
368 root         68    0   147M    48M accept   2   0:01   0.00% php-fpm: pool nginx (php-fpm)
367 root         68    0   147M    49M accept   0   0:00   0.00% php-fpm: pool nginx (php-fpm)
27819 root         20    0    46M    19M kqread   0   0:00   0.00% /usr/local/sbin/haproxy -f /var/etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -D{haproxy}
25023 root         21    0   113M    41M piperd   1   0:00   0.00% php-fpm: pool nginx (php-fpm)
  0 root        -60    -     0B   576K -        0   0:00   0.00% [kernel{if_io_tqg_0}]
  4 root        -16    -     0B    48K -        0   0:00   0.00% [cam{async}]
91947 root         20    0   638M   510M bpf      0   0:00   0.00% /usr/local/bin/snort -R _13122 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_vmx113122 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 13122 -c /usr/local/etc/snort/snort_13122_vmx1/snort.conf -i vmx1{snort}
27819 root         20    0    46M    19M kqread   2   0:00   0.00% /usr/local/sbin/haproxy -f /var/etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -D{haproxy}
96997 root         68    0   147M    46M accept   0   0:00   0.00% php-fpm: pool nginx (php-fpm)
 12 root        -60    -     0B   736K WAIT     0   0:00   0.00% [intr{swi1: netisr 1}]
61676 root         20    0    28M  7004K select   2   0:00   0.00% /usr/local/bin/vmtoolsd -c /usr/local/share/vmware-tools/tools.conf -p /usr/local/lib/open-vm-tools/plugins/vmsvc{vmtoolsd}
 12 root        -60    -     0B   736K WAIT     2   0:00   0.00% [intr{swi1: netisr 2}]
82079 unbound      20    0   163M   132M kqread   0   0:00   0.00% /usr/local/sbin/unbound -c /var/unbound/unbound.conf{unbound}
 12 root        -60    -     0B   736K WAIT     0   0:00   0.00% [intr{swi1: netisr 0}]
82079 unbound      20    0   163M   132M kqread   1   0:00   0.00% /usr/local/sbin/unbound -c /var/unbound/unbound.conf{unbound}
68164 root         20    0    17M  2832K nanslp   0   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i DEFAULT_GATEWAY -B 208.87.243.74 -p /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.pid -u /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 208.87.243.73{dpinger}
  0 root        -60    -     0B   576K -        1   0:00   0.00% [kernel{if_io_tqg_1}]
  9 root        -16    -     0B    48K psleep   2   0:00   0.00% [pagedaemon{dom0}]
  2 root        -60    -     0B    48K WAIT     0   0:00   0.00% [clock{clock (0)}]
78665 root         20    0    32M  9856K kqread   0   0:00   0.00% nginx: worker process (nginx)
59367 root         68    0    71M    43M piperd   2   0:00   0.00% /usr/local/bin/php -f /usr/local/pkg/pfblockerng/pfblockerng.inc index
 12 root        -64    -     0B   736K WAIT     1   0:00   0.00% [intr{irq26: mpt0}]
58940 root         68    0    71M    43M piperd   0   0:00   0.00% /usr/local/bin/php -f /usr/local/pkg/pfblockerng/pfblockerng.inc dnsbl
  0 root        -60    -     0B   576K -        2   0:00   0.00% [kernel{if_io_tqg_2}]
  7 root        -16    -     0B    16K pftm     0   0:00   0.00% [pf purge]
21347 squid        20    0   174M    43M kqread   1   0:00   0.00% (squid-1) --kid squid-1 -f /usr/local/etc/squid/squid.conf (squid)
  4 root        -16    -     0B    48K -        2   0:00   0.00% [cam{doneq0}]
  8 root        -16    -     0B    16K -        2   0:00   0.00% [rand_harvestq]
68342 root         20    0    21M  2928K nanslp   2   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i WAN_GW -B 208.87.243.74 -p /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.pid -u /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 23.238.130.161{dpinger}
27173 root         68   20    13M  2804K wait     0   0:00   0.00% /bin/sh /var/db/rrd/updaterrd.sh
50788 root         20    0    13M  3464K bpf      1   0:00   0.00% /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
68827 root         20    0    21M  2928K nanslp   2   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i WANGW_3 -B 208.87.243.74 -p /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.pid -u /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 104.149.157.73{dpinger}
48381 root         20    0    22M  8108K select   1   0:00   0.00% /usr/local/sbin/openvpn --config /var/etc/openvpn/server2/config.ovpn{openvpn}
52449 root         20    0    13M  2932K select   1   0:00   0.00% /usr/sbin/syslogd -O rfc3164 -s -c -c -l /var/dhcpd/var/run/log -l /tmp/haproxy_chroot/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf
77905 root         20    0    21M  7080K select   2   0:00   0.00% /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid{ntpd}
58380 root         20    0    12M  2320K kqread   0   0:00   0.00% /usr/bin/tail_pfb -n0 -F /var/log/filter.log
569 root         20    0    14M  3724K select   2   0:00   0.00% /sbin/devd -q -f /etc/pfSense-devd.conf
 12 root        -64    -     0B   736K WAIT     2   0:00   0.00% [intr{irq24: ahci0}]
 12 root        -64    -     0B   736K WAIT     0   0:00   0.00% [intr{irq1: atkbd0}]
 19 root         16    -     0B    16K syncer   1   0:00   0.00% [syncer]
366 root         20    0   111M    27M kqread   2   0:00   0.00% php-fpm: master process (/usr/local/lib/php-fpm.conf) (php-fpm)
 17 root         20    -     0B    64K sdflus   1   0:00   0.00% [bufdaemon{/ worker}]
405 root         52   20    13M  2744K kqread   1   0:00   0.00% /usr/local/sbin/check_reload_status
58729 root         20    0    18M  7804K kqread   1   0:00   0.00% /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf
61676 root         20    0    28M  7004K uwait    0   0:00   0.00% /usr/local/bin/vmtoolsd -c /usr/local/share/vmware-tools/tools.conf -p /usr/local/lib/open-vm-tools/plugins/vmsvc{HangDetector}
29119 root         20    0    18M  7472K select   1   0:00   0.00% /usr/local/sbin/openvpn --config /var/etc/openvpn/server1/config.ovpn{openvpn}
85039 dhcpd        20    0    25M    12M select   1   0:00   0.00% /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid vmx1
91947 root         20    0   638M   510M nanslp   0   0:00   0.00% /usr/local/bin/snort -R _13122 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_vmx113122 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 13122 -c /usr/local/etc/snort/snort_13122_vmx1/snort.conf -i vmx1{snort}
68164 root         20    0    17M  2832K nanslp   2   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i DEFAULT_GATEWAY -B 208.87.243.74 -p /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.pid -u /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 208.87.243.73{dpinger}
68827 root         20    0    21M  2928K nanslp   2   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i WANGW_3 -B 208.87.243.74 -p /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.pid -u /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 104.149.157.73{dpinger}
68342 root         20    0    21M  2928K nanslp   1   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i WAN_GW -B 208.87.243.74 -p /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.pid -u /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 23.238.130.161{dpinger}
  2 root        -60    -     0B    48K WAIT     1   0:00   0.00% [clock{clock (1)}]
 14 root         -8    -     0B    48K -        1   0:00   0.00% [geom{g_event}]
68164 root         20    0    17M  2832K accept   0   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i DEFAULT_GATEWAY -B 208.87.243.74 -p /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.pid -u /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 208.87.243.73{dpinger}
21857 root         26    0    13M  2576K wait     1   0:00   0.00% /bin/sh /usr/local/pkg/sqpmon.sh
  1 root         20    0    11M  1144K wait     0   0:00   0.00% [init]
95464 root         20    0    13M  2640K nanslp   0   0:00   0.00% /usr/sbin/cron -s
23724 squid        68    0    16M  4176K piperd   1   0:00   0.00% (unlinkd) (unlinkd)
  0 root          8    -     0B   576K -        1   0:00   0.00% [kernel{thread taskq}]
57867 root         21    0    14M  3300K CPU2     2   0:00   0.00% /usr/bin/top -baHS 999
 17 root        -16    -     0B    64K -        1   0:00   0.00% [bufdaemon{bufspacedaemon-0}]
 18 root        -16    -     0B    16K vlruwt   1   0:00   0.00% [vnlru]
 17 root        -16    -     0B    64K psleep   1   0:00   0.00% [bufdaemon{bufdaemon}]
 12 root        -60    -     0B   736K WAIT     1   0:00   0.00% [intr{swi6: task queue}]
18804 squid        68    0    88M    14M wait     1   0:00   0.00% /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf
  9 root        -16    -     0B    48K umarcl   2   0:00   0.00% [pagedaemon{uma}]
 17 root        -16    -     0B    64K -        1   0:00   0.00% [bufdaemon{bufspacedaemon-1}]
  2 root        -60    -     0B    48K WAIT     2   0:00   0.00% [clock{clock (2)}]
55826 root         68    0    13M  2264K ttyin    2   0:00   0.00% /usr/libexec/getty Pc ttyv0
57141 root         68    0    13M  2264K ttyin    1   0:00   0.00% /usr/libexec/getty Pc ttyv7
56657 root         68    0    13M  2272K ttyin    1   0:00   0.00% /usr/libexec/getty Pc ttyv4
56490 root         68    0    13M  2268K ttyin    2   0:00   0.00% /usr/libexec/getty Pc ttyv3
68342 root         20    0    21M  2928K accept   0   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i WAN_GW -B 208.87.243.74 -p /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.pid -u /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 23.238.130.161{dpinger}
56978 root         68    0    13M  2264K ttyin    0   0:00   0.00% /usr/libexec/getty Pc ttyv5
56363 root         68    0    13M  2260K ttyin    0   0:00   0.00% /usr/libexec/getty Pc ttyv2
57043 root         68    0    13M  2268K ttyin    2   0:00   0.00% /usr/libexec/getty Pc ttyv6
56162 root         68    0    13M  2264K ttyin    1   0:00   0.00% /usr/libexec/getty Pc ttyv1
78531 root         21    0    29M  8520K kqread   0   0:00   0.00% nginx: worker process (nginx)
68827 root         20    0    21M  2928K accept   2   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i WANGW_3 -B 208.87.243.74 -p /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.pid -u /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 104.149.157.73{dpinger}
78324 root         34    0    29M  7992K pause    0   0:00   0.00% nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-webConfigurator.conf (nginx)
68827 root         68    0    21M  2928K uwait    2   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i WANGW_3 -B 208.87.243.74 -p /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.pid -u /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 104.149.157.73{dpinger}
53193 root         68   20    12M  2080K nanslp   1   0:00   0.00% sleep 60
61174 root         40    0    20M  8500K select   2   0:00   0.00% sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups (sshd)
68164 root         68    0    17M  2832K uwait    2   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i DEFAULT_GATEWAY -B 208.87.243.74 -p /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.pid -u /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 208.87.243.73{dpinger}
56787 root         26    0    12M  2084K nanslp   2   0:00   0.00% sleep 55
  0 root        -60    -     0B   576K -        1   0:00   0.00% [kernel{softirq_1}]
68342 root         68    0    21M  2928K uwait    2   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i WAN_GW -B 208.87.243.74 -p /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.pid -u /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 23.238.130.161{dpinger}
  0 root        -60    -     0B   576K -        2   0:00   0.00% [kernel{softirq_2}]
38896 root         36    0    59M  4496K usem     2   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{merge-thread}
  0 root          8    -     0B   576K -        1   0:00   0.00% [kernel{linuxkpi_irq_wq}]
48381 root         20    0    22M  8108K kqread   1   0:00   0.00% /usr/local/sbin/openvpn --config /var/etc/openvpn/server2/config.ovpn{openvpn}
407 root         68   20    13M  2552K kqread   0   0:00   0.00% check_reload_status: Monitoring daemon of check_reload_status (check_reload_status)
  0 root        -60    -     0B   576K -        0   0:00   0.00% [kernel{softirq_0}]
54401 root         21    0    12M  2188K nanslp   0   0:00   0.00% minicron: helper /usr/local/bin/ipsec_keepalive.php  (minicron)
53474 root         20    0    12M  2188K nanslp   0   0:00   0.00% minicron: helper /usr/local/bin/ping_hosts.sh  (minicron)
 14 root         -8    -     0B    48K -        1   0:00   0.00% [geom{g_up}]
54787 root         68    0    12M  2168K wait     1   0:00   0.00% /usr/local/bin/minicron 3600 /var/run/expire_accounts.pid /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts
55184 root         68    0    12M  2164K wait     1   0:00   0.00% /usr/local/bin/minicron 86400 /var/run/update_alias_url_data.pid /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data
53273 root         68    0    12M  2168K wait     1   0:00   0.00% /usr/local/bin/minicron 240 /var/run/ping_hosts.pid /usr/local/bin/ping_hosts.sh
54147 root         68    0    12M  2168K wait     1   0:00   0.00% /usr/local/bin/minicron 300 /var/run/ipsec_keepalive.pid /usr/local/bin/ipsec_keepalive.php
38896 root         20    0    59M  4496K usem     1   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{110}
55395 root         68    0    12M  2188K nanslp   1   0:00   0.00% minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data  (minicron)
38896 root         20    0    59M  4496K usem     0   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{25}
55164 root         68    0    12M  2192K nanslp   1   0:00   0.00% minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts  (minicron)
 14 root         -8    -     0B    48K -        1   0:00   0.00% [geom{g_down}]
38896 root         20    0    59M  4496K usem     1   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{995}
38896 root         68    0    59M  4496K usem     2   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns}
38896 root         68    0    59M  4496K usem     0   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns}
38896 root         20    0    59M  4496K usem     1   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{993}
38896 root         20    0    59M  4496K usem     0   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{465}
  0 root          8    -     0B   576K -        0   0:00   0.00% [kernel{acpi_task_1}]
  0 root        -60    -     0B   576K -        2   0:00   0.00% [kernel{mca taskq}]
38896 root         68    0    59M  4496K usem     0   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns}
38896 root         68    0    59M  4496K usem     2   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns}
61676 root         68    0    28M  7004K uwait    2   0:00   0.00% /usr/local/bin/vmtoolsd -c /usr/local/share/vmware-tools/tools.conf -p /usr/local/lib/open-vm-tools/plugins/vmsvc{pool-spawner}
  0 root         -8    -     0B   576K -        2   0:00   0.00% [kernel{CAM taskq}]
38896 root         20    0    59M  4496K usem     1   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{143}
38896 root         68    0    59M  4496K usem     0   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns}
38896 root         53    0    59M  4496K usem     2   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns}
38896 root         20    0    59M  4496K usem     0   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{587}
  6 root        -16    -     0B    16K idle     0   0:00   0.00% [mpt_recovery0]
38896 root         68    0    59M  4496K usem     2   0:00   0.00% /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1{filterdns}
74992 root         23    0  1231M   894M sbwait   0   0:00   0.00% /usr/local/bin/snort -R _30731 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_vmx030731 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 30731 -c /usr/local/etc/snort/snort_30731_vmx0/snort.conf -i vmx0{snort}
29119 root         68    0    18M  7472K kqread   1   0:00   0.00% /usr/local/sbin/openvpn --config /var/etc/openvpn/server1/config.ovpn{openvpn}
 16 root        -16    -     0B    16K psleep   2   0:00   0.00% [vmdaemon]
68342 root         68    0    21M  2928K sbwait   2   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i WAN_GW -B 208.87.243.74 -p /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.pid -u /var/run/dpinger_WAN_GW~208.87.243.74~23.238.130.161.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 23.238.130.161{dpinger}
  0 root          8    -     0B   576K -        1   0:00   0.00% [kernel{acpi_task_2}]
  0 root          8    -     0B   576K -        2   0:00   0.00% [kernel{firmware taskq}]
  0 root          8    -     0B   576K -        2   0:00   0.00% [kernel{inm_free taskq}]
  9 root        -16    -     0B    48K launds   0   0:00   0.00% [pagedaemon{laundry: dom0}]
68827 root         68    0    21M  2928K sbwait   0   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i WANGW_3 -B 208.87.243.74 -p /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.pid -u /var/run/dpinger_WANGW_3~208.87.243.74~104.149.157.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 104.149.157.73{dpinger}
  0 root          8    -     0B   576K -        2   0:00   0.00% [kernel{linuxkpi_long_wq_3}]
  0 root          8    -     0B   576K -        2   0:00   0.00% [kernel{mlx4}]
 20 root        -16    -     0B    16K aldslp   0   0:00   0.00% [ALQ Daemon]
 10 root        -16    -     0B    16K audit_   2   0:00   0.00% [audit]
68164 root         68    0    17M  2832K sbwait   0   0:00   0.00% /usr/local/bin/dpinger -S -r 0 -i DEFAULT_GATEWAY -B 208.87.243.74 -p /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.pid -u /var/run/dpinger_DEFAULT_GATEWAY~208.87.243.74~208.87.243.73.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 208.87.243.73{dpinger}
      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        There are several checks within the Snort shell startup script that attempt to prevent multiple processes. But if something on your firewall is making interfaces come up and down rapidly, that will cause pfSense to continually fire the "restart all packages" script. That script in turn will call the Snort shell startup script in /usr/local/etc/rc.d/ each time it runs. Multiple calls to that script in quick succession can lead to multiple processes despite the attempted checks.

        You need to find out if the above scenario is the case, and if so, fix that underlying issue that is causing the script to be called repeatedly.

        Another possibility is the use of the Service Watchdog package to monitor Snort. That package and Snort are not compatible. Service Watchdog should never be configured to watch Snort. The package does not understand how Snort works internally and will needlessly start multiple instances because it will think Snort is not running when it actually already is.

        Look in the pfSense system log and see if you find messages about "restarting all packages". If so, you need to find out why that script is being triggered. If you are using Service Watchdog with Snort, remove Snort from the list of monitored services in Service Watchdog.

        L 1 Reply Last reply Reply Quote 1
        • L
          luisenrique @bmeeks
          last edited by

          @bmeeks thanks for point me to right direction!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post