[SOLVED] pfSense process investigation and Snort

richinspirit

I am trying to implement my first pfSense installation, and am currently testing in a very low-load environment.

(Snort package version 2.9.0.5 pkg 2 installed on 9/11/11. pfSense 2.0 RC3 snapshot from 9/9/11. Don't expect this is needed, but following forum rules meant to assist me is a good idea.  ;D)

Here are the questions I have while trying to troubleshoot and familiarize myself with pfSense:

(1) In trying to get a handle on the workings of a pfSense box, I am interested in what the output from the following command looks like on a pfSense box where Snort is running successfully…

ps -ef

(2) I will say my pfSense box generates very little output with this command, which surprises me based on my Solaris, RHEL, and SLES experience… is 'ps -ef' the best command to use to generate a list of all running processes on a pfSense implementation of FreeBSD 8.2?

(3) If Snort is already running, and from the console I enter the following command…

snort --pcap-show

…should I get a successful Snort-has-started splash screen and then see the packets being processed in real-time printing to the console screen, or should it fail saying something to the effect "Snort is already running"?

At this point, if I can't figure it out with all the info I have found on these forums I'll be back for more assistance later. For now, I just want to get these few questions answered to help me find the right direction to go from here.

Thanks for your time and assistance acclimating me to this new and useful environment. I look forward to working with pfSense a lot in the future.

dhatz

@richinspirit:

ps -ef

(2) I will say my pfSense box generates very little output with this command, which surprises me based on my Solaris, RHEL, and SLES experience… is 'ps -ef' the best command to use to generate a list of all running processes on a pfSense implementation of FreeBSD 8.2?

try:
ps -fax
(it's easy to remember :-)

richinspirit

I appologize for assuming the ps command would be the same for solaris linux, AND freebsd. I did some googling this morning and came up with ps auxw' and this command worked well for me.

I will also try 'ps -fax' and see which I prefer.

Thank you dhatz for the reply.

richinspirit

I'm all set, now…

When I made it back to my test network earlier today there were system log entries on the pfSense box showing the ethernet interfaces had been restarted. The reason they restarted on their own while I was doing other things is a mystery to me, but they did restart.

Shortly after that, Snort kicked off successfully for both interfaces I set it up on and was running just fine. Again, not sure why it decided to start right up on its own, but I had asked it to start repeatedly before working on other things, so maybe it just did what I told it to as soon as it could.  ???

I notice it clearly states on the Snort service web-interface that the interfaces will need to be restarted to pick up changes. Changes like just installing it to configuring it to run for the first time, say? Nice  ;D

Once I had a running Snort install and the correct arguments for 'ps', it was easy to answer my own questions.