Snort 2.9.4.6 Pkg v 2.5.9
-
Has anyone else been experiencing this when Snort tries to update? I been getting it for a couple of weeks now. I have set to update once per day automatically which is around midnight.. Should the update run at a different time?
I do pay the yearly subscription to snort. I just have the snort.org rules and Emerging ones enabled. I am guessing its more of an issue with snort site than the app here with pfsense. Just wondering if I was the only one seeing this.Bill would it be possible if everyone (mass population) would like it to, to have the most recent snort update entry at the top of the log rather than the bottom? Not a major issue just save me some scrolling which at times is a P.I.T.A. on a mobile device.. No worries if its left as is.. just thought I would ask.
system log
Aug 4 00:08:03 php: : [Snort] The Rules update has finished.
Aug 4 00:08:03 php: : [Snort] Emerging Threat rules are up to date…
Aug 4 00:08:02 php: : [Snort] Server returned error code '0'…
Aug 4 00:08:02 php: : [Snort] Snort VRT md5 download failed…
Aug 4 00:08:02 php: : File 'snortrules-snapshot-2946.tar.gz.md5' download attempts: 4 ...
Aug 4 00:07:47 php: : [Snort] Will retry in 15 seconds…
Aug 4 00:07:47 php: : [Snort] Rules download error: Empty reply from server
Aug 4 00:06:32 php: : [Snort] Will retry in 15 seconds…
Aug 4 00:06:32 php: : [Snort] Rules download error: Empty reply from server
Aug 4 00:05:17 php: : [Snort] Will retry in 15 seconds…
Aug 4 00:05:17 php: : [Snort] Rules download error: Empty reply from server
Aug 4 00:04:02 php: : [Snort] Will retry in 15 seconds…
Aug 4 00:04:02 php: : [Snort] Rules download error: Empty reply from serverSnort update log
Starting rules update… Time: 2013-08-04 00:03:01
Downloading Snort VRT md5 file...
Snort VRT md5 download failed.
Server returned error code '0'.
Server error message was 'Empty reply from server'
Snort VRT rules will not be updated.
Downloading EmergingThreats md5 file...
Checking EmergingThreats md5.
Emerging Threats rules are up to date.
The Rules update has finished. Time: 2013-08-04 00:08:03I would frequently see this error in my own logs using the default update time of 3 minutes past midnight and 12:03 PM. Using the new option added in the 2.5.9 update that allows choosing other update times, I've eliminated this error by moving my updates to 1:00 AM and 1:00 PM. My guess is maybe the default time is frequently hitting some maintenance or backup process on the rules update server at Snort.org. I don't have anything to backup that supposition, but I can say that after moving my times to an hour later I have not had the issue happen again.
As for reordering the logs, I can take a look. It would complicate the code because now it just appends to the end of the file. The viewer is just a simple file reader (actually it just copies the contents into a HTML textarea object). I could add some sorting of the lines prior to display, but it will be tricky due to the formatting.
Bill
Thanks Bill! I will move the time to 1 am. I was more concerned if it was just me or if others were seeing it. I appreciate the followup on it.
On the log issue, it seems like more work than what its worth. You dont have to worry about it unless you really feel bored. lol
-
Starting rules update… Time: 2013-08-04 17:44:54
Downloading Snort VRT md5 file...
Checking Snort VRT md5 file...
There is a new set of Snort VRT rules posted. Downloading...
Done downloading rules file.
Downloading EmergingThreats md5 file...
Checking EmergingThreats md5.
There is a new set of EmergingThreats rules posted. Downloading...
Done downloading EmergingThreats rules file.
Extracting and installing EmergingThreats.org rules...
Installation of EmergingThreats.org rules completed.
Extracting and installing Snort VRT rules...
Using Snort VRT precompiled SO rules for FreeBSD-8-1 ...
Installation of Snort VRT rules completed.
Copying new config and map files...
Updating rules configuration for: WAN ...
The Rules update has finished. Time: 2013-08-04 17:45:30I did a clean install of 2.1 rc-1, i imported a backup file i had of 2.0.3 . So my issue is, the snort package runs fine but i am not getting hits on any of the rules sets. To make sure the rules are working, i do a shields up scan which usually does a few nmap scans of my machine but i dont get hits anymore. I noticed that its saying freebsd-8-1 for the precompiled instead of 8-3. so i dont know if that might have something to do with it?
-
Do you have the rules enabled? Also do you have the block detected port scans enabled? If not, Snort will not be looking for them thus not blocking them.
-
Do you have the rules enabled? Also do you have the block detected port scans enabled? If not, Snort will not be looking for them thus not blocking them.
I had the nmap rules enabled along with the portscan option on. I just uninstalled snort with the saved settings. Started fresh and is working fine now 8)
-
I noticed that its saying freebsd-8-1 for the precompiled instead of 8-3. so i dont know if that might have something to do with it?
The only precompiled rules included in current Snort.org rules are for FreeBSD 8.1. They don't provide 8.3 versions yet. However, I think it's really only the major version that matters (8.x, for example).
Bill
-
Just want to say the old bug is back again, it bans my OWN IP after a bit a while just looking some normal websites.
Getting this:
(http_inspect) IIS UNICODE CODEPOINT ENCODING - 08/05/13-22:46:05
(portscan) TCP Portsweep - 08/05/13-22:48:52
(ssp_ssl) Invalid Client HELLO after Server HELLO Detected - 08/05/13-22:55:55 -
I just tried to install snort and I am having trouble getting it to work.
I have Alix 2D13 running pfSense 2.0.1-RELEASE (i386) and I know it's underdimensioned but my connections are not requiring much throughput. I have two connections and failover, one WAN is 7M downstream and 0.5 upstream, the other is even less than that, as 3G mobile signal from indoors is weak. I have currently disconnected the second one from the internet, for checking purposes, so it only talks to a small machine of mine, but I can't even enable there.
I know IDS and IPS are resource intensive but they should at least start, so that I can figure out the performance requirements.
I attach what I see. If I click the red "x" it waits about 10min (but still the firewall is passing traffic OK) with the web interface "waiting for reply", and then it reloads the page and I get exactly the same screen.
I know it says new settings won't take place until interface restarts and so I have disabled and reenabled wanmobile interface, same thing.
I wonder if I should remove package and then use a different version of snort to work with my pfSense 2.0.1 ?
Thank you so very much
-
You are trying to @daniela:
I have Alix 2D13 running pfSense 2.0.1-RELEASE (i386) and I know it's underdimensioned but my connections are not requiring much throughput.
No, they are not underdimensioned, they are absolutely unfit for purpose. Stop wasting your time.
-
Thank you a lot for saving me from heartache and waste of time. I will get something else: can you advise approx CPU and RAM specs? Theoretical max throughput in the foreseeable lifetime of the box is perhaps 20M per interface (unfortunately is located in the Internet Desert and no fiber anywhere near). Also what should I expect for disk usage? I am planning to get a SSD if it does not require too much space.
I would get two such boxes, one to run Snort and the other to run Squid, do you think is the best policy or do you think better a more performing appliance and have it do both?
Low energy consumption is a big plus.
-
Thank you a lot for saving me from heartache and waste of time. I will get something else: can you advise approx CPU and RAM specs?
Do you seriously intend to use IDS? I mean, the Alix HW is perfectly fine for running normal firewall on such lines. Before investing any money into new HW, I'd suggest to maybe recycle some desktop for testing and see for yourself how it feels and how much time you have to babysit and finetune the thing? It's not set-it-and-forget-it package in any way.
-
I just tried to install snort and I am having trouble getting it to work.
I have Alix 2D13 running pfSense 2.0.1-RELEASE (i386) and I know it's underdimensioned but my connections are not requiring much throughput.
I wonder if I should remove package and then use a different version of snort to work with my pfSense 2.0.1 ?Thank you so very much
Well, besides the marginal hardware issues, you will need pfSense 2.0.3 to run the latest Snort package. So the first thing I would do is upgrade to 2.0.3. After that you can try Snort again. But if you have less than 1 GB of RAM, Snort really is not for you. You need 2GB or more of RAM to run anything beyond a handful of Snort rules, though.
Bill
-
Just want to say the old bug is back again, it bans my OWN IP after a bit a while just looking some normal websites.
Getting this:
(http_inspect) IIS UNICODE CODEPOINT ENCODING - 08/05/13-22:46:05
(portscan) TCP Portsweep - 08/05/13-22:48:52
(ssp_ssl) Invalid Client HELLO after Server HELLO Detected - 08/05/13-22:55:55Is your WAN IP dynamic and frequently changing? If so it might what is causing the problem. Are you running 2.0.3 or 2.1 pfSense?
Bill
-
Thank you a lot everyone, I really appreciate.
For anyone else who may be interested or have a similar setup, Snort with lowmemory and "connectivity" inbuilt set of rules is working and being stable since 10+ hours with no perceivable slowdown even at full "speed" (if one may use the word, eh). Performance impact is not too bad (about 10% on memory and a few % on CPU, and less than a handful of extra processes) and I gave it 10MB space which is advised space for nanoBSD (may be one could increase it a little bit). Worst memory load is 57% and it's averaging about 35%, it won't melt. I decided to let it be for a while and whatever it filters and is not a false positive, I am adding to custom firewall rules. That way when I get rid of it, at least I have both learned something and improved the network a little. I got a process termination for lack of swap space, but since it did not keep happening, I think it's too amazing a miracle to tinker with, and kept my hands off it. I also realize it'd be better to reboot when doing extensive configuration changes, oh well. Also, I confirm the firewall kept working alright while enabling snort (which took about 1min per interface and I made sure to hammer the firewall).
I'll get some desktop from some closet and try Snort there, I'll activate it a couple hours a day while I am around and see what happens. I am realizing that it is not only necessary to learn Snort, but also to learn about network use of the users and what they need and use and what they don't. The users, however, seem to all have read everything about the bastard operator from hell and so don't even think of discussing needs and wishes, they also lie when asked! I am only trying to be helpful. I can't do any harm after all, I already have blocked Facebook years ago. :-D
I will move to 2.0.3, or to current version, as soon as downtime is available. I confirm to anyone on 2.0.1 that it sort of works.
-
When I disable this:
Enable DCE/RPC2 Detection The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is Checked.
Then Snort wont start. I cant find any rules that is associated with this preproc. at all.
-
When I disable this:
Enable DCE/RPC2 Detection The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is Checked.
Then Snort wont start. I cant find any rules that is associated with this preproc. at all.
There is a rule option somewhere that is dependent on the preprocessor. In the system log there should be a message with these words "snort[81145]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_64703_em0/rules/snort.rules(6050) Unknown rule option: 'dce_iface'." . Snort rules can contain all manner of special rule options, and many of these options depend on certain preprocessors being enabled. In this case, the rule option is "dce_iface". That's why it is usually best to just run all the preprocessors except maybe Sensitive Data (SDF). You never know when a rule update will suddenly enable a formerly disabled rule or include a new rule with the rule option. If you have the preprocessor disabled that some new rule depends on, then Snort will fail to start after the rule update.
If you want to disable the preprocessor anyway, then at the top of the Preprocessors tab is a check box that says "Auto-Disable Text Rules". If you check that option, then Snort will automatically disable any text rules that contain a rule option dependent upon the preprocessor you disabled. Using your example, if you check that box you should see this warning similar to this in the system log when Snort starts –
[Snort] Warning: auto-disabled 97 rules due to disabled preprocessor dependencies.
It's telling you that it automatically disabled 97 rules that contained options dependent upon the DCE_RPC preprocessor. For this example, I just used the IPS Policy - Security with no Emerging Threats rules. If you have a different set of rules enabled, you will likely see a number different from 97.
I put a View button on the Preprocessors tab that is supposed to let you open and view the disabled rules, but I just found out it does not appear to be working. I will have to see why. In the meantime, you will find a text log file of the auto-disabled rules in /var/log/snort. The file will be named with the interface to make it easy to spot.
Bill
-
Thanks Bill!!
-
Thanks Bill!!
You're welcome. And by the way, I found the problem with the View button not working. A needed piece of JavaScript code got left out of the PHP page file during the last Snort package update. I've fixed it in my base code, but I will just wait until the next scheduled update to push the fix out to the production package. I'm really close to having the next update ready to go anyway.
Bill
-
In 2.1 RC1. I notice that the block list gets cleared everytime i save a setting in lets say squid. Also if i update the firewall rules on the server, it clears the list as well.
-
In 2.1 RC1. I notice that the block list gets cleared everytime i save a setting in lets say squid. Also if i update the firewall rules on the server, it clears the list as well.
Unfortunately this is something that is outside the direct control of the Snort package. The pfSense core code clears all the packet filter tables when certain key events transpire. The Snort block table is just a victim of this behavior. Snort does not have its own independent block table. It just inserts IP addresses into the packet filter that it wants blocked.
Bill
-
Oh that's fine then. Just wanted to make sure it wasn't a bug or anything. As long as things get blocked then i don't mind the table being flushed out. I was wondering how the update was coming along and a eta on it, thanks.
-
I was wondering how the update was coming along and a eta on it, thanks.
The package code changes are done. I'm doing testing now trying to flush out any little bugs. The addition of multiple configuration engine support for some of the preprocessors resulted in quite a bit of code being added/edited. The next version will have multiple configuration support for Frag3, Stream5 and HTTP_Inspect.
I have sort of been stalling while waiting to see if the Snort port in FreshPorts gets updated to the 2.5 code from 2.9.4.6. I wanted to include that binary update as well.
Bill
-
Just want to say the old bug is back again, it bans my OWN IP after a bit a while just looking some normal websites.
Getting this:
(http_inspect) IIS UNICODE CODEPOINT ENCODING - 08/05/13-22:46:05
(portscan) TCP Portsweep - 08/05/13-22:48:52
(ssp_ssl) Invalid Client HELLO after Server HELLO Detected - 08/05/13-22:55:55Is your WAN IP dynamic and frequently changing? If so it might what is causing the problem. Are you running 2.0.3 or 2.1 pfSense?
Bill
Yes, Internet here is 100% IP dynamic whatever I power on/off my xDSL modem.
2.1-BETA1 (i386)
built on Wed May 22 08:31:46 EDT 2013
FreeBSD 8.3-RELEASE-p8 -
Yes, Internet here is 100% IP dynamic whatever I power on/off my xDSL modem.
2.1-BETA1 (i386)
built on Wed May 22 08:31:46 EDT 2013
FreeBSD 8.3-RELEASE-p8Snort builds the whitelist during each startup sequence. When the WAN IP changes, pfSense usually does a good job of restarting things. When restarted, Snort will correctly detect the new WAN IP and modify the whitelist accordingly assuming WAN IP is checked in the whitelist config (that is the default if you do not change it). Maybe in the newer 2.1 snapshots something is not working quite right with the auto-restart of packages.
A workaround would be to manually enter an Alias containing the IP subnet that your ISP routinely issues WAN IPs to you from. Then add this Alias to a custom whitelist for the WAN interface. That way no matter what IP in the block you happen to get, it will be whitelisted. This is not ideal and really should only be used as a temp workaround. Hopefully this problem will disappear as the 2.1 snapshots continue to be tweaked. I can also take a look to see if there is anything that could be done within Snort itself to better detect a WAN IP change.
Bill
-
I have IPS Policy ( i.e. Snort GPLv2 Community Rules + Emerging Threats rule set) enabled on the WAN. And, all rule set minus the Snort GPLv2 Community Rules + Emerging Threats rule set enabled on the LAN interface.
Should I see 2 snort processes in this configuration, i.e. one snort process per interface? If I have IPv4 and IPv6 enabled on both the interface should I expect to see 4 processes?
Thanks! -
I have IPS Policy ( i.e. Snort GPLv2 Community Rules + Emerging Threats rule set) enabled on the WAN. And, all rule set minus the Snort GPLv2 Community Rules + Emerging Threats rule set enabled on the LAN interface.
Should I see 2 snort processes in this configuration, i.e. one snort process per interface? If I have IPv4 and IPv6 enabled on both the interface should I expect to see 4 processes?
Thanks!One Snort process per interface. So in your case you should see two Snort processes. There was an issue with the later 2.1 Snapshots where multiple Snort processes per interface were getting kicked off on reboots. That was the result of some changes going on with the pfSense Snapshot code, though. Nothing has changed in the Snort package for a while.
Bill
-
Thanks Bill. There is certainly something wonky going on, on the latest 2.1 snapshots. I have reconfigured snort for just the WAN interface IPv4 (no IPv6). Further, I only have IPS Policy ( i.e. Snort GPLv2 Community Rules + Emerging Threats rule set) enabled on the WAN. I see four (4) snort processes consuming up to 90% of the 6GB RAM and over 60% of the 16GB swap space.
Anything I can do (provide logs, traces, additional information) to debug and resolve this issue?
-
Anything I can do (provide logs, traces, additional information) to debug and resolve this issue?
You could read through this thread. I already made a note about this a few pages back ;)
-
Thank you for the workaround. I was offering up any help I can provide (since I have a 100% & consistent repro) to debug this issue and solve it rather than just working around it.
-
Thank you for the workaround. I was offering up any help I can provide (since I have a 100% & consistent repro) to debug this issue and solve it rather than just working around it.
I have some VMs I can test in. I have a July 4th 2.1 Snapshot that does not exhibit this behavior. I will "snapshot" that VM and then let it upgrade to the latest 2.1 RC snapshot and see what I can determine about the multiple Snort process starts.
I've been letting Snort cook for a while with no package updates for two reasons. First to see how things were performing for users, and to see if the FreeBSD port got updated to the 2.5.x Snort binary. I have a new version of the Snort package ready that implements multiple engine/server configurations for the FRAG3, STREAM5 and HTTP_INSPECT preprocessors.
Bill
-
Thank you for the workaround. I was offering up any help I can provide (since I have a 100% & consistent repro) to debug this issue and solve it rather than just working around it.
pfSenseRocks:
I upgraded a test VM to the latest 2.1RC snapshot. I could not reproduce the multiple processes problem. I have Snort configured on two interfaces for the VM, and I only get two Snort processes. Now I am using my new 2.6.0 package code in the VM. I can try reverting a VM back to the current 2.5.9 package and try again.
Bill
-
That is great news, Bill. Thanks for the update. Let me update to the latest snapshot as well and see if I can reproduce your success.
-
Unfortunately, I still reproduce the problem. Usually occurs after snort restarts after downloading new rules.
[2.1-RC1][admin@sense.home]/root(1): ps -ax | grep snort
23405 ?? Ss 8:25.86 /usr/pbi/snort-amd64/bin/snort -R 56048 -E -q -l /var/log/snort/snort_em0_vlan1056048 –pid-path /var/run
24490 ?? SNLs 0:28.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
45765 ?? SNs 0:29.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
46524 ?? Ss 0:03.79 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47171 ?? SNs 0:03.70 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47645 ?? SNs 0:03.76 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
52671 0 S+ 0:00.00 grep snortVersion 2.1-RC1 (amd64)
built on Mon Aug 19 16:16:39 EDT 2013
FreeBSD 8.3-RELEASE-p9 -
Unfortunately, I still reproduce the problem. Usually occurs after snort restarts after downloading new rules.
[2.1-RC1][admin@sense.home]/root(1): ps -ax | grep snort
23405 ?? Ss 8:25.86 /usr/pbi/snort-amd64/bin/snort -R 56048 -E -q -l /var/log/snort/snort_em0_vlan1056048 –pid-path /var/run
24490 ?? SNLs 0:28.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
45765 ?? SNs 0:29.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
46524 ?? Ss 0:03.79 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47171 ?? SNs 0:03.70 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47645 ?? SNs 0:03.76 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
52671 0 S+ 0:00.00 grep snortVersion 2.1-RC1 (amd64)
built on Mon Aug 19 16:16:39 EDT 2013
FreeBSD 8.3-RELEASE-p9Looks like you have multiple VLANs on a single interface. I did not test that way. I have just single IP blocks on each of my three interfaces, and I get only single instances of Snort per interface.
I have a theory about what could be happening. Unfortunately, if my theory is correct, this may be a hard bug to quash. Let me ponder on it and maybe also set up a VLAN configuration similar to yours. Without giving away too much private information, can you post a high-level description of how your Snort interfaces are configured in terms of VLANs (number per interface, etc.)?
Bill
-
Hello,
I have a small feature request. Would it be possible for the alerts tab to have a DNS lookup button under IPs shown (both source and destination) that opens a new tab and performs the same function as looking up an IP in Diagnostics>DNS lookup and displaying the results? Performing DNS lookups for all IPs showing up on alerts is not wanted or encouraged, just specific IPs. Saves me having to manually copy+paste the IP in DNS lookup.Thank you.
-
If I may add a feature for DNS lookup. A country flag next to the IP in the alerts and blocked tab…
Making it real easy to see where its coming from?
@jflsakfja:
Hello,
I have a small feature request. Would it be possible for the alerts tab to have a DNS lookup button under IPs shown (both source and destination) that opens a new tab and performs the same function as looking up an IP in Diagnostics>DNS lookup and displaying the results? Performing DNS lookups for all IPs showing up on alerts is not wanted or encouraged, just specific IPs. Saves me having to manually copy+paste the IP in DNS lookup.Thank you.
-
If I may add a feature for DNS lookup. A country flag next to the IP in the alerts and blocked tab…
Making it real easy to see where its coming from?
I believe that would require to perform the lookups in advance for all IPs, which could overload some low bandwidth connections. I'm getting hundreds of alerts per hour for example. Personally I don't think that is a good idea. If there is a way to store the country IPs in RAM and perform the country lookup there, I'd be fine with that.
Edit: completely missed my mind: The functionality wanted is the exact same functionality offered by the "blue i" button next to IPs in the firewall logs
-
If I may add a feature for DNS lookup. A country flag next to the IP in the alerts and blocked tab…
Making it real easy to see where its coming from?
@jflsakfja:
Hello,
I have a small feature request. Would it be possible for the alerts tab to have a DNS lookup button under IPs shown (both source and destination) that opens a new tab and performs the same function as looking up an IP in Diagnostics>DNS lookup and displaying the results? Performing DNS lookups for all IPs showing up on alerts is not wanted or encouraged, just specific IPs. Saves me having to manually copy+paste the IP in DNS lookup.Thank you.
While i understand on a high traffic network with alot of alerts this may not be wanted but to have the option would be fantastic. Maybe something that is enabled or disabled.. Good idea anyways. :-D
-
An option to display all IP's country that can be enabled and the "blue i" button next to the IP in the alerts/blocked tabs disappears when the option is enabled, when it is disabled, the "blue i" button is shown next to IPs (to prevent flooding the network with lookups)? Everybody is happy then ;D
-
I will take a look and see what's possible with regards to the DNS lookups on the Alerts and Blocked tabs. I like the idea of the blue icon and then a pop-up window containing the lookup results when clicked. That is the least I/O intensive procedure.
Bill
-
Unfortunately, I still reproduce the problem. Usually occurs after snort restarts after downloading new rules.
[2.1-RC1][admin@sense.home]/root(1): ps -ax | grep snort
23405 ?? Ss 8:25.86 /usr/pbi/snort-amd64/bin/snort -R 56048 -E -q -l /var/log/snort/snort_em0_vlan1056048 –pid-path /var/run
24490 ?? SNLs 0:28.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
45765 ?? SNs 0:29.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
46524 ?? Ss 0:03.79 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47171 ?? SNs 0:03.70 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47645 ?? SNs 0:03.76 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
52671 0 S+ 0:00.00 grep snortVersion 2.1-RC1 (amd64)
built on Mon Aug 19 16:16:39 EDT 2013
FreeBSD 8.3-RELEASE-p9Looks like you have multiple VLANs on a single interface. I did not test that way. I have just single IP blocks on each of my three interfaces, and I get only single instances of Snort per interface.
I have a theory about what could be happening. Unfortunately, if my theory is correct, this may be a hard bug to quash. Let me ponder on it and maybe also set up a VLAN configuration similar to yours. Without giving away too much private information, can you post a high-level description of how your Snort interfaces are configured in terms of VLANs (number per interface, etc.)?
Bill
I have a similar issue. If there rc.start_packages is called, snort doesn't restart correctly. It will create new instances of snort… I've maxed out of resources on my box because of this..
[2.1-RC1][/root(1): ps -ax | grep snort 11617 ?? SNs 0:19.21 /usr/pbi/snort-i386/bin/snort -R 63656 -D -q -l /var/log/snort/snort_em0_vlan563656 --pid-path /var/run --nolock-pidfile -G 63656 -c /usr/pbi/snort-i386/etc 12256 ?? SNs 9:30.06 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/etc/snort 18390 ?? SNs 7:23.96 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/snort/sn 42825 ?? SNs 4:17.50 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/etc/snort 56893 ?? SNs 1:41.06 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/etc/snort 67712 ?? SNs 1:26.93 /usr/pbi/snort-i386/bin/snort -R 63656 -D -q -l /var/log/snort/snort_em0_vlan563656 --pid-path /var/run --nolock-pidfile -G 63656 -c /usr/pbi/snort-i386/etc 74458 ?? SNs 0:17.27 /usr/pbi/snort-i386/bin/snort -R 59292 -D -q -l /var/log/snort/snort_em359292 --pid-path /var/run --nolock-pidfile -G 59292 -c /usr/pbi/snort-i386/etc/snort 76099 ?? SNs 3:40.18 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/snort/sn 90876 ?? SNs 1:26.13 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/snort/sn 93617 ?? SNs 0:05.95 /usr/pbi/snort-i386/bin/snort -R 63656 -D -q -l /var/log/snort/snort_em0_vlan563656 --pid-path /var/run --nolock-pidfile -G 63656 -c /usr/pbi/snort-i386/etc 63880 0 S+ 0:00.02 grep snort [2.1-RC1][root@pfsense.cino.homeip.net]/root(2):