Snort 2.9.4.6 Pkg v 2.5.9

Supermule · Aug 9, 2013, 3:27 AM

Thanks Bill!!

bmeeks · Aug 9, 2013, 8:36 PM

Thanks Bill!!

You're welcome. And by the way, I found the problem with the View button not working. A needed piece of JavaScript code got left out of the PHP page file during the last Snort package update. I've fixed it in my base code, but I will just wait until the next scheduled update to push the fix out to the production package. I'm really close to having the next update ready to go anyway.

Bill

shinzo · Aug 10, 2013, 3:32 PM

In 2.1 RC1. I notice that the block list gets cleared everytime i save a setting in lets say squid. Also if i update the firewall rules on the server, it clears the list as well.

bmeeks · Aug 10, 2013, 7:36 PM

@shinzo:

In 2.1 RC1. I notice that the block list gets cleared everytime i save a setting in lets say squid. Also if i update the firewall rules on the server, it clears the list as well.

Unfortunately this is something that is outside the direct control of the Snort package. The pfSense core code clears all the packet filter tables when certain key events transpire. The Snort block table is just a victim of this behavior. Snort does not have its own independent block table. It just inserts IP addresses into the packet filter that it wants blocked.

Bill

shinzo · Aug 10, 2013, 9:32 PM

Oh that's fine then. Just wanted to make sure it wasn't a bug or anything. As long as things get blocked then i don't mind the table being flushed out. I was wondering how the update was coming along and a eta on it, thanks.

bmeeks · Aug 11, 2013, 5:49 PM

@shinzo:

I was wondering how the update was coming along and a eta on it, thanks.

The package code changes are done. I'm doing testing now trying to flush out any little bugs. The addition of multiple configuration engine support for some of the preprocessors resulted in quite a bit of code being added/edited. The next version will have multiple configuration support for Frag3, Stream5 and HTTP_Inspect.

I have sort of been stalling while waiting to see if the Snort port in FreshPorts gets updated to the 2.5 code from 2.9.4.6. I wanted to include that binary update as well.

Bill

Gradius · Aug 15, 2013, 7:39 AM

@bmeeks:

@Gradius:

Just want to say the old bug is back again, it bans my OWN IP after a bit a while just looking some normal websites.

Getting this:
(http_inspect) IIS UNICODE CODEPOINT ENCODING - 08/05/13-22:46:05
(portscan) TCP Portsweep - 08/05/13-22:48:52
(ssp_ssl) Invalid Client HELLO after Server HELLO Detected - 08/05/13-22:55:55

Is your WAN IP dynamic and frequently changing? If so it might what is causing the problem. Are you running 2.0.3 or 2.1 pfSense?

Bill

Yes, Internet here is 100% IP dynamic whatever I power on/off my xDSL modem.

2.1-BETA1 (i386)
built on Wed May 22 08:31:46 EDT 2013
FreeBSD 8.3-RELEASE-p8

bmeeks · Aug 15, 2013, 8:43 PM

@Gradius:

Yes, Internet here is 100% IP dynamic whatever I power on/off my xDSL modem.

2.1-BETA1 (i386)
built on Wed May 22 08:31:46 EDT 2013
FreeBSD 8.3-RELEASE-p8

Snort builds the whitelist during each startup sequence. When the WAN IP changes, pfSense usually does a good job of restarting things. When restarted, Snort will correctly detect the new WAN IP and modify the whitelist accordingly assuming WAN IP is checked in the whitelist config (that is the default if you do not change it). Maybe in the newer 2.1 snapshots something is not working quite right with the auto-restart of packages.

A workaround would be to manually enter an Alias containing the IP subnet that your ISP routinely issues WAN IPs to you from. Then add this Alias to a custom whitelist for the WAN interface. That way no matter what IP in the block you happen to get, it will be whitelisted. This is not ideal and really should only be used as a temp workaround. Hopefully this problem will disappear as the 2.1 snapshots continue to be tweaked. I can also take a look to see if there is anything that could be done within Snort itself to better detect a WAN IP change.

Bill

pfSenseRocks · Aug 16, 2013, 4:17 AM

I have IPS Policy ( i.e. Snort GPLv2 Community Rules + Emerging Threats rule set) enabled on the WAN. And, all rule set minus the Snort GPLv2 Community Rules + Emerging Threats rule set enabled on the LAN interface.

Should I see 2 snort processes in this configuration, i.e. one snort process per interface? If I have IPv4 and IPv6 enabled on both the interface should I expect to see 4 processes?
Thanks!

bmeeks · Aug 16, 2013, 8:27 PM

@pfSenseRocks:

I have IPS Policy ( i.e. Snort GPLv2 Community Rules + Emerging Threats rule set) enabled on the WAN. And, all rule set minus the Snort GPLv2 Community Rules + Emerging Threats rule set enabled on the LAN interface.

Should I see 2 snort processes in this configuration, i.e. one snort process per interface? If I have IPv4 and IPv6 enabled on both the interface should I expect to see 4 processes?
Thanks!

One Snort process per interface. So in your case you should see two Snort processes. There was an issue with the later 2.1 Snapshots where multiple Snort processes per interface were getting kicked off on reboots. That was the result of some changes going on with the pfSense Snapshot code, though. Nothing has changed in the Snort package for a while.

Bill

pfSenseRocks · Aug 17, 2013, 6:01 AM

Thanks Bill. There is certainly something wonky going on, on the latest 2.1 snapshots. I have reconfigured snort for just the WAN interface IPv4 (no IPv6). Further, I only have IPS Policy ( i.e. Snort GPLv2 Community Rules + Emerging Threats rule set) enabled on the WAN. I see four (4) snort processes consuming up to 90% of the 6GB RAM and over 60% of the 16GB swap space.

Anything I can do (provide logs, traces, additional information) to debug and resolve this issue?

gogol · Aug 17, 2013, 8:55 AM

@pfSenseRocks:

Anything I can do (provide logs, traces, additional information) to debug and resolve this issue?

You could read through this thread. I already made a note about this a few pages back ;)

pfSenseRocks · Aug 17, 2013, 11:17 PM

Thank you for the workaround. I was offering up any help I can provide (since I have a 100% & consistent repro) to debug this issue and solve it rather than just working around it.

bmeeks · Aug 19, 2013, 10:45 PM

@pfSenseRocks:

Thank you for the workaround. I was offering up any help I can provide (since I have a 100% & consistent repro) to debug this issue and solve it rather than just working around it.

I have some VMs I can test in. I have a July 4th 2.1 Snapshot that does not exhibit this behavior. I will "snapshot" that VM and then let it upgrade to the latest 2.1 RC snapshot and see what I can determine about the multiple Snort process starts.

I've been letting Snort cook for a while with no package updates for two reasons. First to see how things were performing for users, and to see if the FreeBSD port got updated to the 2.5.x Snort binary. I have a new version of the Snort package ready that implements multiple engine/server configurations for the FRAG3, STREAM5 and HTTP_INSPECT preprocessors.

Bill

bmeeks · Aug 20, 2013, 12:00 AM

@pfSenseRocks:

Thank you for the workaround. I was offering up any help I can provide (since I have a 100% & consistent repro) to debug this issue and solve it rather than just working around it.

pfSenseRocks:

I upgraded a test VM to the latest 2.1RC snapshot. I could not reproduce the multiple processes problem. I have Snort configured on two interfaces for the VM, and I only get two Snort processes. Now I am using my new 2.6.0 package code in the VM. I can try reverting a VM back to the current 2.5.9 package and try again.

Bill

pfSenseRocks · Aug 20, 2013, 2:34 PM

That is great news, Bill. Thanks for the update. Let me update to the latest snapshot as well and see if I can reproduce your success.

pfSenseRocks · Aug 22, 2013, 2:22 AM

Unfortunately, I still reproduce the problem. Usually occurs after snort restarts after downloading new rules.

[2.1-RC1][admin@sense.home]/root(1): ps -ax | grep snort
23405 ?? Ss 8:25.86 /usr/pbi/snort-amd64/bin/snort -R 56048 -E -q -l /var/log/snort/snort_em0_vlan1056048 –pid-path /var/run
24490 ?? SNLs 0:28.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
45765 ?? SNs 0:29.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
46524 ?? Ss 0:03.79 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47171 ?? SNs 0:03.70 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47645 ?? SNs 0:03.76 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
52671 0 S+ 0:00.00 grep snort

Version 2.1-RC1 (amd64)
built on Mon Aug 19 16:16:39 EDT 2013
FreeBSD 8.3-RELEASE-p9

bmeeks · Aug 22, 2013, 10:19 PM

@pfSenseRocks:

Unfortunately, I still reproduce the problem. Usually occurs after snort restarts after downloading new rules.

[2.1-RC1][admin@sense.home]/root(1): ps -ax | grep snort
23405 ?? Ss 8:25.86 /usr/pbi/snort-amd64/bin/snort -R 56048 -E -q -l /var/log/snort/snort_em0_vlan1056048 –pid-path /var/run
24490 ?? SNLs 0:28.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
45765 ?? SNs 0:29.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
46524 ?? Ss 0:03.79 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47171 ?? SNs 0:03.70 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47645 ?? SNs 0:03.76 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
52671 0 S+ 0:00.00 grep snort

Version 2.1-RC1 (amd64)
built on Mon Aug 19 16:16:39 EDT 2013
FreeBSD 8.3-RELEASE-p9

Looks like you have multiple VLANs on a single interface. I did not test that way. I have just single IP blocks on each of my three interfaces, and I get only single instances of Snort per interface.

I have a theory about what could be happening. Unfortunately, if my theory is correct, this may be a hard bug to quash. Let me ponder on it and maybe also set up a VLAN configuration similar to yours. Without giving away too much private information, can you post a high-level description of how your Snort interfaces are configured in terms of VLANs (number per interface, etc.)?

Bill

A Former User · Aug 24, 2013, 8:52 AM

Hello,
I have a small feature request. Would it be possible for the alerts tab to have a DNS lookup button under IPs shown (both source and destination) that opens a new tab and performs the same function as looking up an IP in Diagnostics>DNS lookup and displaying the results? Performing DNS lookups for all IPs showing up on alerts is not wanted or encouraged, just specific IPs. Saves me having to manually copy+paste the IP in DNS lookup.

Thank you.

Supermule · Aug 24, 2013, 8:56 AM

If I may add a feature for DNS lookup. A country flag next to the IP in the alerts and blocked tab…

Making it real easy to see where its coming from?

@jflsakfja:

Hello,
I have a small feature request. Would it be possible for the alerts tab to have a DNS lookup button under IPs shown (both source and destination) that opens a new tab and performs the same function as looking up an IP in Diagnostics>DNS lookup and displaying the results? Performing DNS lookups for all IPs showing up on alerts is not wanted or encouraged, just specific IPs. Saves me having to manually copy+paste the IP in DNS lookup.

Thank you.

A Former User · Aug 24, 2013, 9:19 AM

@Supermule:

If I may add a feature for DNS lookup. A country flag next to the IP in the alerts and blocked tab…

Making it real easy to see where its coming from?

I believe that would require to perform the lookups in advance for all IPs, which could overload some low bandwidth connections. I'm getting hundreds of alerts per hour for example. Personally I don't think that is a good idea. If there is a way to store the country IPs in RAM and perform the country lookup there, I'd be fine with that.

Edit: completely missed my mind: The functionality wanted is the exact same functionality offered by the "blue i" button next to IPs in the firewall logs

kilthro · Aug 24, 2013, 10:46 AM

@Supermule:

If I may add a feature for DNS lookup. A country flag next to the IP in the alerts and blocked tab…

Making it real easy to see where its coming from?

@jflsakfja:

Hello,
I have a small feature request. Would it be possible for the alerts tab to have a DNS lookup button under IPs shown (both source and destination) that opens a new tab and performs the same function as looking up an IP in Diagnostics>DNS lookup and displaying the results? Performing DNS lookups for all IPs showing up on alerts is not wanted or encouraged, just specific IPs. Saves me having to manually copy+paste the IP in DNS lookup.

Thank you.

While i understand on a high traffic network with alot of alerts this may not be wanted but to have the option would be fantastic. Maybe something that is enabled or disabled.. Good idea anyways. :-D

A Former User · Aug 24, 2013, 10:57 AM

An option to display all IP's country that can be enabled and the "blue i" button next to the IP in the alerts/blocked tabs disappears when the option is enabled, when it is disabled, the "blue i" button is shown next to IPs (to prevent flooding the network with lookups)? Everybody is happy then ;D

bmeeks · Aug 25, 2013, 4:07 PM

I will take a look and see what's possible with regards to the DNS lookups on the Alerts and Blocked tabs. I like the idea of the blue icon and then a pop-up window containing the lookup results when clicked. That is the least I/O intensive procedure.

Bill

Cino · Aug 26, 2013, 6:32 PM

@bmeeks:

@pfSenseRocks:

Unfortunately, I still reproduce the problem. Usually occurs after snort restarts after downloading new rules.

[2.1-RC1][admin@sense.home]/root(1): ps -ax | grep snort
23405 ?? Ss 8:25.86 /usr/pbi/snort-amd64/bin/snort -R 56048 -E -q -l /var/log/snort/snort_em0_vlan1056048 –pid-path /var/run
24490 ?? SNLs 0:28.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
45765 ?? SNs 0:29.51 /usr/pbi/snort-amd64/bin/snort -R 56048 -D -q -l /var/log/snort/snort_em0_vlan1056048 --pid-path /var/run
46524 ?? Ss 0:03.79 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47171 ?? SNs 0:03.70 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
47645 ?? SNs 0:03.76 /usr/pbi/snort-amd64/bin/snort -R 40477 -D -q -l /var/log/snort/snort_em0_vlan1140477 --pid-path /var/run
52671 0 S+ 0:00.00 grep snort

Version 2.1-RC1 (amd64)
built on Mon Aug 19 16:16:39 EDT 2013
FreeBSD 8.3-RELEASE-p9

Looks like you have multiple VLANs on a single interface. I did not test that way. I have just single IP blocks on each of my three interfaces, and I get only single instances of Snort per interface.

I have a theory about what could be happening. Unfortunately, if my theory is correct, this may be a hard bug to quash. Let me ponder on it and maybe also set up a VLAN configuration similar to yours. Without giving away too much private information, can you post a high-level description of how your Snort interfaces are configured in terms of VLANs (number per interface, etc.)?

Bill

I have a similar issue. If there rc.start_packages is called, snort doesn't restart correctly. It will create new instances of snort… I've maxed out of resources on my box because of this..


[2.1-RC1][/root(1): ps -ax | grep snort
11617  ??  SNs    0:19.21 /usr/pbi/snort-i386/bin/snort -R 63656 -D -q -l /var/log/snort/snort_em0_vlan563656 --pid-path /var/run --nolock-pidfile -G 63656 -c /usr/pbi/snort-i386/etc
12256  ??  SNs    9:30.06 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/etc/snort
18390  ??  SNs    7:23.96 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/snort/sn
42825  ??  SNs    4:17.50 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/etc/snort
56893  ??  SNs    1:41.06 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/etc/snort
67712  ??  SNs    1:26.93 /usr/pbi/snort-i386/bin/snort -R 63656 -D -q -l /var/log/snort/snort_em0_vlan563656 --pid-path /var/run --nolock-pidfile -G 63656 -c /usr/pbi/snort-i386/etc
74458  ??  SNs    0:17.27 /usr/pbi/snort-i386/bin/snort -R 59292 -D -q -l /var/log/snort/snort_em359292 --pid-path /var/run --nolock-pidfile -G 59292 -c /usr/pbi/snort-i386/etc/snort
76099  ??  SNs    3:40.18 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/snort/sn
90876  ??  SNs    1:26.13 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/snort/sn
93617  ??  SNs    0:05.95 /usr/pbi/snort-i386/bin/snort -R 63656 -D -q -l /var/log/snort/snort_em0_vlan563656 --pid-path /var/run --nolock-pidfile -G 63656 -c /usr/pbi/snort-i386/etc
63880   0  S+     0:00.02 grep snort
[2.1-RC1][root@pfsense.cino.homeip.net]/root(2):

pfSenseRocks · Aug 26, 2013, 8:19 PM

can you post a high-level description of how your Snort interfaces are configured in terms of VLANs (number per interface, etc.)?

Sorry about the tardy response, Bill. I have been traveling with intermittent to no internet connectivity.

Here's my config on pfSense:

VLAN10 WAN
VLAN11 LAN
VLAN12 GAN // Guest LAN

snort:
WAN IPS security profile
LAN All other categories that aren't included in security profile

Both interfaces are configured for AC.

Sorry about the incomplete info. I am reciting from memory.

bmeeks · Aug 27, 2013, 11:50 PM

Cino and pfSenseRocks:

Thank you for the feedback on the multiple instances problem. I will be tied up the next few days on some business and then personal stuff, so it will be after the U.S. Labor Day Holiday (September 2nd) before I can devote a lot of time to researching this issue. The hint about rc.start_packages is helpful. I will see if I can get to the bottom of the problem, though. Different manifestations of what are probably the same underlying bug have shown up over the last year with Snort and restarts. Sometimes it seems to be fixed, and then it pops up again. Obviously we have not yet found the true root cause.

Bill

Cino · Aug 28, 2013, 3:00 PM

Bill,

For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be

GW Log


Aug 28 10:41:13 	apinger: SIGHUP received, reloading configuration.
Aug 28 10:41:13 	apinger: SIGHUP received, reloading configuration.
Aug 28 10:40:58 	apinger: SIGHUP received, reloading configuration.
Aug 28 10:40:09 	apinger: alarm canceled (config reload): WAN_DHCP(X.X.208.1) *** WAN_DHCPdown ***
Aug 28 10:40:09 	apinger: SIGHUP received, reloading configuration.
Aug 28 10:39:53 	apinger: ALARM: WAN_DHCP(X.X.208.1) *** WAN_DHCPdown ***

System Log


Aug 28 10:47:25 	sshd[6872]: Accepted keyboard-interactive/pam for root from 192.168.200.6 port 28523 ssh2
Aug 28 10:43:28 	SnortStartup[11968]: Snort SOFT RESTART for WLAN Guest Alerting(63656_em0_vlan5)...
Aug 28 10:43:22 	SnortStartup[10757]: Snort SOFT RESTART for WLAN Guest Alerting(63656_em0_vlan5)...
Aug 28 10:43:19 	kernel: em2: promiscuous mode enabled
Aug 28 10:43:11 	SnortStartup[9674]: Snort START for LAN Alerting(5622_em2)...
Aug 28 10:43:09 	SnortStartup[8925]: Snort SOFT RESTART for WAN Alerting(59292_em3)...
Aug 28 10:43:02 	SnortStartup[7961]: Snort START for LAN Alerting(5622_em2)...
Aug 28 10:42:58 	SnortStartup[6717]: Snort START for WAN Alerting(59292_em3)...
Aug 28 10:42:57 	kernel: em3: promiscuous mode enabled
Aug 28 10:42:45 	SnortStartup[67423]: Snort START for WAN Blocking(60770_em3)...
Aug 28 10:42:38 	kernel: em2: promiscuous mode disabled
Aug 28 10:42:37 	snort[9920]: *** Caught Term-Signal
Aug 28 10:42:36 	SnortStartup[64481]: Snort STOP for LAN Alerting(5622_em2)...
Aug 28 10:42:33 	SnortStartup[60383]: Snort START for WAN Blocking(60770_em3)...
Aug 28 10:42:31 	SnortStartup[57262]: Snort START for WLAN Guest Alerting(63656_em0_vlan5)...
Aug 28 10:42:28 	kernel: em2: promiscuous mode enabled
Aug 28 10:42:24 	kernel: em3: promiscuous mode disabled
Aug 28 10:42:24 	snort[73635]: *** Caught Term-Signal
Aug 28 10:42:23 	SnortStartup[5755]: Snort STOP for WAN Alerting(59292_em3)...
Aug 28 10:42:20 	bandwidthd: Drawing initial graphs
Aug 28 10:42:20 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:42:20 	bandwidthd: Drawing initial graphs
Aug 28 10:42:20 	bandwidthd: Opening em2
Aug 28 10:42:20 	bandwidthd: Finished recovering 8648 records
Aug 28 10:42:20 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:42:20 	bandwidthd: Opening em2
Aug 28 10:42:20 	bandwidthd: Finished recovering 1761 records
Aug 28 10:42:20 	bandwidthd: Recovering from log.1.0.cdf
Aug 28 10:42:20 	bandwidthd: Finished recovering 4016 records
Aug 28 10:42:20 	bandwidthd: Recovering from log.1.1.cdf
Aug 28 10:42:20 	bandwidthd: Finished recovering 4015 records
Aug 28 10:42:20 	bandwidthd: Recovering from log.2.0.cdf
Aug 28 10:42:20 	bandwidthd: Finished recovering 1131 records
Aug 28 10:42:20 	bandwidthd: Drawing initial graphs
Aug 28 10:42:20 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:42:20 	bandwidthd: Opening em2
Aug 28 10:42:20 	bandwidthd: Drawing initial graphs
Aug 28 10:42:20 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:42:20 	bandwidthd: Finished recovering 123 records
Aug 28 10:42:20 	bandwidthd: Opening em2
Aug 28 10:42:20 	bandwidthd: Recovering from log.4.0.cdf
Aug 28 10:42:20 	bandwidthd: Finished recovering 2696 records
Aug 28 10:42:20 	bandwidthd: Recovering from log.2.1.cdf
Aug 28 10:42:20 	bandwidthd: Finished recovering 1208 records
Aug 28 10:42:20 	bandwidthd: Recovering from log.1.2.cdf
Aug 28 10:42:20 	bandwidthd: Recovering from log.3.0.cdf
Aug 28 10:42:20 	bandwidthd: Recovering from log.2.2.cdf
Aug 28 10:42:20 	bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0
Aug 28 10:42:20 	bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0
Aug 28 10:42:19 	snort[63368]: *** Caught Term-Signal
Aug 28 10:42:18 	SnortStartup[1275]: Snort STOP for WAN Blocking(60770_em3)...
Aug 28 10:42:18 	bandwidthd: Finished recovering 2696 records
Aug 28 10:42:18 	bandwidthd: Recovering from log.2.1.cdf
Aug 28 10:42:18 	bandwidthd: Finished recovering 1208 records
Aug 28 10:42:18 	bandwidthd: Drawing initial graphs
Aug 28 10:42:18 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:42:18 	bandwidthd: Opening em2
Aug 28 10:42:18 	bandwidthd: Finished recovering 123 records
Aug 28 10:42:18 	bandwidthd: Recovering from log.3.0.cdf
Aug 28 10:42:18 	bandwidthd: Recovering from log.4.0.cdf
Aug 28 10:42:18 	bandwidthd: Recovering from log.1.2.cdf
Aug 28 10:42:18 	bandwidthd: Recovering from log.2.2.cdf
Aug 28 10:42:18 	bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0
Aug 28 10:42:18 	bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0
Aug 28 10:42:16 	php: rc.start_packages: The command '/usr/local/etc/rc.d/bandwidthd.sh stop' returned exit code '1', the output was 'No matching processes were found'
Aug 28 10:42:14 	squid[78388]: Squid Parent: (squid-1) process 78602 started
Aug 28 10:42:14 	squid[78388]: Squid Parent: will start 1 kids
Aug 28 10:42:14 	squid[77880]: Squid Parent: (squid-1) process 78063 started
Aug 28 10:42:13 	squid[77880]: Squid Parent: will start 1 kids
Aug 28 10:42:11 	squid[57908]: Squid Parent: (squid-1) process 58242 exited with status 0
Aug 28 10:42:10 	squid[60746]: Squid Parent: (squid-1) process 61166 exited with status 0
Aug 28 10:42:10 	SnortStartup[74072]: Snort START for LAN Alerting(5622_em2)...
Aug 28 10:42:07 	bandwidthd: Drawing initial graphs
Aug 28 10:42:07 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:42:07 	bandwidthd: Opening em2
Aug 28 10:42:07 	bandwidthd: Finished recovering 8648 records
Aug 28 10:42:07 	bandwidthd: Drawing initial graphs
Aug 28 10:42:07 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:42:07 	bandwidthd: Opening em2
Aug 28 10:42:07 	bandwidthd: Finished recovering 1761 records
Aug 28 10:42:07 	bandwidthd: Recovering from log.1.0.cdf
Aug 28 10:42:07 	bandwidthd: Finished recovering 4016 records
Aug 28 10:42:07 	bandwidthd: Recovering from log.2.0.cdf
Aug 28 10:42:07 	bandwidthd: Finished recovering 1131 records
Aug 28 10:42:07 	bandwidthd: Drawing initial graphs
Aug 28 10:42:07 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:42:07 	bandwidthd: Opening em2
Aug 28 10:42:07 	bandwidthd: Finished recovering 123 records
Aug 28 10:42:07 	bandwidthd: Recovering from log.2.1.cdf
Aug 28 10:42:07 	bandwidthd: Finished recovering 1208 records
Aug 28 10:42:07 	bandwidthd: Recovering from log.1.1.cdf
Aug 28 10:42:07 	bandwidthd: Finished recovering 4015 records
Aug 28 10:42:07 	bandwidthd: Recovering from log.2.2.cdf
Aug 28 10:42:07 	bandwidthd: Drawing initial graphs
Aug 28 10:42:07 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:42:07 	bandwidthd: Opening em2
Aug 28 10:42:07 	bandwidthd: Finished recovering 2696 records
Aug 28 10:42:07 	bandwidthd: Recovering from log.4.0.cdf
Aug 28 10:42:07 	bandwidthd: Recovering from log.3.0.cdf
Aug 28 10:42:07 	bandwidthd: Recovering from log.1.2.cdf
Aug 28 10:42:07 	bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0
Aug 28 10:42:07 	bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0
Aug 28 10:42:06 	SnortStartup[70343]: Snort START for WAN Alerting(59292_em3)...
Aug 28 10:42:06 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:42:06 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:42:06 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:42:06 	php: rc.start_packages: Not calling package sync code for dependency squidreverse of squid3-dev because some include files are missing.
Aug 28 10:42:06 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:42:06 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:42:06 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:42:06 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:42:06 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:42:06 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:42:06 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:42:06 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:42:06 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:42:06 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:42:05 	bandwidthd: Drawing initial graphs
Aug 28 10:42:05 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:42:05 	bandwidthd: Opening em2
Aug 28 10:42:05 	bandwidthd: Finished recovering 2696 records
Aug 28 10:42:05 	bandwidthd: Recovering from log.2.1.cdf
Aug 28 10:42:05 	bandwidthd: Finished recovering 1208 records
Aug 28 10:42:05 	bandwidthd: Recovering from log.2.2.cdf
Aug 28 10:42:05 	bandwidthd: Drawing initial graphs
Aug 28 10:42:05 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:42:05 	bandwidthd: Opening em2
Aug 28 10:42:05 	bandwidthd: Finished recovering 123 records
Aug 28 10:42:05 	bandwidthd: Recovering from log.4.0.cdf
Aug 28 10:42:05 	bandwidthd: Recovering from log.1.2.cdf
Aug 28 10:42:05 	bandwidthd: Recovering from log.3.0.cdf
Aug 28 10:42:05 	bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0
Aug 28 10:42:05 	bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0
Aug 28 10:42:04 	kernel: em3: promiscuous mode enabled
Aug 28 10:42:03 	php: rc.start_packages: The command '/usr/local/etc/rc.d/bandwidthd.sh stop' returned exit code '1', the output was 'No matching processes were found'
Aug 28 10:42:03 	check_reload_status: Syncing firewall
Aug 28 10:42:01 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml
Aug 28 10:42:01 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml
Aug 28 10:42:01 	squid[60746]: Squid Parent: (squid-1) process 61166 started
Aug 28 10:42:01 	squid[60746]: Squid Parent: will start 1 kids
Aug 28 10:42:01 	squid[57908]: Squid Parent: (squid-1) process 58242 started
Aug 28 10:42:01 	squid[57908]: Squid Parent: will start 1 kids
Aug 28 10:42:00 	upsmon[42711]: Communications with UPS APC_Back-UPS_ES550@localhost established
Aug 28 10:42:00 	upsd[42078]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550]
Aug 28 10:41:59 	php: rc.start_packages: No pfBlocker action during boot process.
Aug 28 10:41:59 	php: rc.start_packages: No pfBlocker action during boot process.
Aug 28 10:41:59 	php: rc.start_packages: No pfBlocker action during boot process.
Aug 28 10:41:59 	php: rc.start_packages: No pfBlocker action during boot process.
Aug 28 10:41:58 	squid[33548]: Squid Parent: (squid-1) process 33781 exited with status 0
Aug 28 10:41:58 	squid[32797]: Squid Parent: (squid-1) process 33693 exited with status 0
Aug 28 10:41:57 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml
Aug 28 10:41:57 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml
Aug 28 10:41:55 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml
Aug 28 10:41:55 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml
Aug 28 10:41:55 	upsmon[42711]: Communications with UPS APC_Back-UPS_ES550@localhost lost
Aug 28 10:41:55 	upsmon[42711]: Poll UPS [APC_Back-UPS_ES550@localhost] failed - Write error: Operation not permitted
Aug 28 10:41:54 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:41:54 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:41:54 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:41:54 	php: rc.start_packages: Not calling package sync code for dependency squidreverse of squid3-dev because some include files are missing.
Aug 28 10:41:54 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:41:53 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:41:53 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:41:53 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:41:53 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:41:53 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:41:53 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:41:53 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:41:53 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:41:53 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:41:50 	upsd[42078]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550]
Aug 28 10:41:50 	upsmon[42403]: Startup successful
Aug 28 10:41:50 	upsd[42078]: Startup successful
Aug 28 10:41:50 	upsd[41895]: Connected to UPS [APC_Back-UPS_ES550]: usbhid-ups-APC_Back-UPS_ES550
Aug 28 10:41:50 	upsd[41895]: listening on 127.0.0.1 port 3493
Aug 28 10:41:50 	upsd[41895]: listening on ::1 port 3493
Aug 28 10:41:50 	usbhid-ups[41650]: Startup successful
Aug 28 10:41:49 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml
Aug 28 10:41:49 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml
Aug 28 10:41:47 	php: rc.start_packages: No pfBlocker action during boot process.
Aug 28 10:41:47 	php: rc.start_packages: No pfBlocker action during boot process.
Aug 28 10:41:47 	php: rc.start_packages: No pfBlocker action during boot process.
Aug 28 10:41:47 	php: rc.start_packages: No pfBlocker action during boot process.
Aug 28 10:41:45 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml
Aug 28 10:41:45 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml
Aug 28 10:41:44 	usbhid-ups[81311]: Signal 15: exiting
Aug 28 10:41:44 	upsd[81483]: Signal 15: exiting
Aug 28 10:41:44 	upsd[81483]: mainloop: Interrupted system call
Aug 28 10:41:43 	upsd[81483]: User monuser@127.0.0.1 logged out from UPS [APC_Back-UPS_ES550]
Aug 28 10:41:43 	upsmon[82138]: Signal 15: exiting
Aug 28 10:41:43 	kernel: em0_vlan5: promiscuous mode enabled
Aug 28 10:41:43 	kernel: em0: promiscuous mode enabled
Aug 28 10:41:42 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml
Aug 28 10:41:42 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml
Aug 28 10:41:41 	SnortStartup[91233]: Snort START for WAN Blocking(60770_em3)...
Aug 28 10:41:41 	kernel: em0_vlan5: promiscuous mode disabled
Aug 28 10:41:41 	kernel: em0: promiscuous mode disabled
Aug 28 10:41:37 	upsd[81483]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550]
Aug 28 10:41:37 	upsmon[81868]: Startup successful
Aug 28 10:41:37 	upsd[81483]: Startup successful
Aug 28 10:41:37 	upsd[81321]: Connected to UPS [APC_Back-UPS_ES550]: usbhid-ups-APC_Back-UPS_ES550
Aug 28 10:41:37 	upsd[81321]: listening on 127.0.0.1 port 3493
Aug 28 10:41:37 	upsd[81321]: listening on ::1 port 3493
Aug 28 10:41:37 	usbhid-ups[81311]: Startup successful
Aug 28 10:41:36 	check_reload_status: Syncing firewall
Aug 28 10:41:36 	snort[81642]: *** Caught Term-Signal
Aug 28 10:41:35 	SnortStartup[78667]: Snort STOP for WLAN Guest Alerting(63656_em0_vlan5)...
Aug 28 10:41:32 	usbhid-ups[60672]: Signal 15: exiting
Aug 28 10:41:32 	upsd[61343]: Signal 15: exiting
Aug 28 10:41:32 	upsd[61343]: mainloop: Interrupted system call
Aug 28 10:41:32 	upsd[61343]: User monuser@127.0.0.1 logged out from UPS [APC_Back-UPS_ES550]
Aug 28 10:41:32 	upsmon[61642]: Signal 15: exiting
Aug 28 10:41:31 	kernel: em2: promiscuous mode disabled
Aug 28 10:41:31 	snort[57737]: *** Caught Term-Signal
Aug 28 10:41:31 	SnortStartup[67098]: Snort STOP for LAN Alerting(5622_em2)...
Aug 28 10:41:28 	php: rc.start_packages: Restarting/Starting all packages.
Aug 28 10:41:28 	kernel: em3: promiscuous mode disabled
Aug 28 10:41:28 	snort[56544]: *** Caught Term-Signal
Aug 28 10:41:27 	SnortStartup[59861]: Snort STOP for WAN Alerting(59292_em3)...
Aug 28 10:41:24 	snort[53396]: *** Caught Term-Signal
Aug 28 10:41:23 	SnortStartup[56750]: Snort STOP for WAN Blocking(60770_em3)...
Aug 28 10:41:21 	php: rc.newwanip: pfSense package system has detected an ip change 172.16.50.1 -> 172.16.50.1 ... Restarting packages.
Aug 28 10:41:21 	php: rc.newwanip: pfSense package system has detected an ip change 192.168.200.1 -> 192.168.200.1 ... Restarting packages.
Aug 28 10:41:19 	php: rc.newwanip: Creating rrd update script
Aug 28 10:41:18 	php: rc.newwanip: Creating rrd update script
Aug 28 10:41:15 	php: rc.start_packages: Restarting/Starting all packages.
Aug 28 10:41:13 	php: rc.newwanip: rc.newwanip: on (IP address: 172.16.50.1) (interface: opt2) (real interface: ovpns2).
Aug 28 10:41:13 	php: rc.newwanip: rc.newwanip: Informational is starting ovpns2.
Aug 28 10:41:13 	php: rc.newwanip: rc.newwanip: on (IP address: 192.168.200.1) (interface: opt1) (real interface: ovpns1).
Aug 28 10:41:13 	php: rc.newwanip: rc.newwanip: Informational is starting ovpns1.
Aug 28 10:41:13 	ntpd_intres[52667]: ntpd exiting on signal 15
Aug 28 10:41:12 	check_reload_status: Starting packages
Aug 28 10:41:12 	php: rc.newwanip: pfSense package system has detected an ip change x.x.210.112 -> x.x.210.112 ... Restarting packages.
Aug 28 10:41:10 	check_reload_status: rc.newwanip starting ovpns2
Aug 28 10:41:10 	kernel: ovpns2: link state changed to UP
Aug 28 10:41:10 	bandwidthd: Drawing initial graphs
Aug 28 10:41:10 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:41:10 	bandwidthd: Opening em2
Aug 28 10:41:10 	php: rc.newwanip: Creating rrd update script
Aug 28 10:41:10 	bandwidthd: Finished recovering 1761 records
Aug 28 10:41:10 	bandwidthd: Drawing initial graphs
Aug 28 10:41:10 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:41:10 	bandwidthd: Opening em2
Aug 28 10:41:10 	bandwidthd: Finished recovering 8648 records
Aug 28 10:41:10 	bandwidthd: Recovering from log.1.0.cdf
Aug 28 10:41:10 	bandwidthd: Finished recovering 4016 records
Aug 28 10:41:10 	bandwidthd: Recovering from log.1.1.cdf
Aug 28 10:41:10 	bandwidthd: Finished recovering 4015 records
Aug 28 10:41:10 	bandwidthd: Drawing initial graphs
Aug 28 10:41:10 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:41:10 	bandwidthd: Opening em2
Aug 28 10:41:10 	bandwidthd: Finished recovering 2696 records
Aug 28 10:41:10 	bandwidthd: Recovering from log.2.0.cdf
Aug 28 10:41:10 	bandwidthd: Finished recovering 1131 records
Aug 28 10:41:10 	bandwidthd: Recovering from log.2.1.cdf
Aug 28 10:41:10 	bandwidthd: Finished recovering 1208 records
Aug 28 10:41:10 	bandwidthd: Drawing initial graphs
Aug 28 10:41:10 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:41:10 	bandwidthd: Opening em2
Aug 28 10:41:10 	bandwidthd: Finished recovering 123 records
Aug 28 10:41:10 	bandwidthd: Recovering from log.1.2.cdf
Aug 28 10:41:10 	bandwidthd: Recovering from log.4.0.cdf
Aug 28 10:41:10 	bandwidthd: Recovering from log.2.2.cdf
Aug 28 10:41:10 	bandwidthd: Recovering from log.3.0.cdf
Aug 28 10:41:10 	bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0
Aug 28 10:41:10 	bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0
Aug 28 10:41:10 	check_reload_status: rc.newwanip starting ovpns1
Aug 28 10:41:10 	kernel: ovpns2: link state changed to DOWN
Aug 28 10:41:10 	kernel: in6_purgeaddr: node-local all-nodesmulticast address deletion error
Aug 28 10:41:10 	kernel: ovpns1: link state changed to UP
Aug 28 10:41:10 	check_reload_status: Reloading filter
Aug 28 10:41:10 	php: rc.newwanip: Resyncing OpenVPN instances for interface WAN.
Aug 28 10:41:08 	bandwidthd: Drawing initial graphs
Aug 28 10:41:08 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:41:08 	bandwidthd: Opening em2
Aug 28 10:41:08 	bandwidthd: Finished recovering 8648 records
Aug 28 10:41:08 	bandwidthd: Drawing initial graphs
Aug 28 10:41:08 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:41:08 	bandwidthd: Opening em2
Aug 28 10:41:08 	bandwidthd: Drawing initial graphs
Aug 28 10:41:08 	bandwidthd: Finished recovering 1761 records
Aug 28 10:41:08 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:41:08 	bandwidthd: Recovering from log.1.0.cdf
Aug 28 10:41:08 	bandwidthd: Opening em2
Aug 28 10:41:08 	bandwidthd: Finished recovering 4016 records
Aug 28 10:41:08 	bandwidthd: Finished recovering 2696 records
Aug 28 10:41:08 	bandwidthd: Recovering from log.1.1.cdf
Aug 28 10:41:08 	bandwidthd: Recovering from log.3.0.cdf
Aug 28 10:41:08 	bandwidthd: Finished recovering 4015 records
Aug 28 10:41:08 	bandwidthd: Drawing initial graphs
Aug 28 10:41:08 	bandwidthd: Packet Encoding: Ethernet
Aug 28 10:41:08 	bandwidthd: Opening em2
Aug 28 10:41:08 	bandwidthd: Finished recovering 123 records
Aug 28 10:41:08 	bandwidthd: Recovering from log.4.0.cdf
Aug 28 10:41:08 	bandwidthd: Recovering from log.2.0.cdf
Aug 28 10:41:08 	bandwidthd: Finished recovering 1131 records
Aug 28 10:41:08 	bandwidthd: Recovering from log.2.1.cdf
Aug 28 10:41:08 	bandwidthd: Finished recovering 1208 records
Aug 28 10:41:08 	bandwidthd: Recovering from log.1.2.cdf
Aug 28 10:41:08 	bandwidthd: Recovering from log.2.2.cdf
Aug 28 10:41:08 	bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0
Aug 28 10:41:08 	bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0
Aug 28 10:41:08 	php: rc.start_packages: The command '/usr/local/etc/rc.d/bandwidthd.sh stop' returned exit code '1', the output was 'No matching processes were found'
Aug 28 10:41:06 	php: rc.start_packages: The command '/usr/local/etc/rc.d/bandwidthd.sh stop' returned exit code '1', the output was 'No matching processes were found'
Aug 28 10:41:06 	check_reload_status: Syncing firewall
Aug 28 10:41:05 	lighttpd[21678]: (connections.c.305) SSL: 1 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Aug 28 10:41:04 	squid[33548]: Squid Parent: (squid-1) process 33781 started
Aug 28 10:41:04 	squid[32797]: Squid Parent: (squid-1) process 33693 started
Aug 28 10:41:04 	squid[33548]: Squid Parent: will start 1 kids
Aug 28 10:41:04 	squid[32797]: Squid Parent: will start 1 kids
Aug 28 10:41:01 	php: rc.start_packages: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was ''
Aug 28 10:41:01 	squid[80084]: Squid Parent: (squid-1) process 80621 exited with status 0
Aug 28 10:41:01 	check_reload_status: updating dyndns wan
Aug 28 10:41:01 	squid[80808]: Squid Parent: (squid-1) process 81403 exited with status 0
Aug 28 10:40:59 	dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process.
Aug 28 10:40:58 	php: rc.newwanip: ROUTING: setting default route to x.x.208.1
Aug 28 10:40:58 	php: rc.newwanip: ROUTING: setting IPv6 default route to 2001:470:x:x::1
Aug 28 10:40:58 	kernel: in6_purgeaddr: link-local all-nodesmulticast address deletion error
Aug 28 10:40:58 	php: rc.newwanip: ROUTING: setting IPv6 default route to 2001:470:x:x::1
Aug 28 10:40:58 	php: rc.newwanip: The command '/sbin/ifconfig 'gif0' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
Aug 28 10:40:58 	php: rc.newwanip: The command '/sbin/ifconfig 'gif0' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
Aug 28 10:40:58 	php: rc.newwanip: ROUTING: setting IPv6 default route to 2001:470:x:x::1
Aug 28 10:40:58 	dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process.
Aug 28 10:40:58 	kernel: in6_purgeaddr: link-local all-nodesmulticast address deletion error
Aug 28 10:40:58 	kernel: in6_purgeaddr: link-local all-nodesmulticast address deletion error
Aug 28 10:40:58 	php: rc.newwanip: ROUTING: setting IPv6 default route to 2001:470:x:x::1
Aug 28 10:40:58 	php: rc.newwanip: rc.newwanip: on (IP address: x.x.210.112) (interface: wan) (real interface: em3).
Aug 28 10:40:58 	php: rc.newwanip: rc.newwanip: Informational is starting em3.
Aug 28 10:40:57 	lighttpd[21678]: (connections.c.305) SSL: 1 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Aug 28 10:40:56 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:40:56 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:40:56 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:40:56 	php: rc.start_packages: Not calling package sync code for dependency squidreverse of squid3-dev because some include files are missing.
Aug 28 10:40:56 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:40:56 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:40:56 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:40:56 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:40:56 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:40:56 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:40:56 	php: rc.linkup: ROUTING: setting default route to x.x.208.1
Aug 28 10:40:56 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:40:56 	kernel: if_rtdel: error 3
Aug 28 10:40:56 	kernel: in6_purgeaddr: link-local all-nodesmulticast address deletion error
Aug 28 10:40:56 	kernel:
Aug 28 10:40:56 	php: rc.linkup: ROUTING: setting IPv6 default route to 2001:470:x:x::1
Aug 28 10:40:56 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:40:56 	check_reload_status: rc.newwanip starting em3
Aug 28 10:40:56 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:40:55 	php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
Aug 28 10:40:54 	upsmon[61642]: Communications with UPS APC_Back-UPS_ES550@localhost established
Aug 28 10:40:54 	upsd[61343]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550]
Aug 28 10:40:51 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml
Aug 28 10:40:51 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml
Aug 28 10:40:49 	upsmon[61642]: Communications with UPS APC_Back-UPS_ES550@localhost lost
Aug 28 10:40:49 	upsmon[61642]: Poll UPS [APC_Back-UPS_ES550@localhost] failed - Write error: Operation not permitted
Aug 28 10:40:49 	php: rc.start_packages: No pfBlocker action during boot process.
Aug 28 10:40:49 	php: rc.start_packages: No pfBlocker action during boot process.
Aug 28 10:40:49 	php: rc.start_packages: No pfBlocker action during boot process.
Aug 28 10:40:49 	php: rc.start_packages: No pfBlocker action during boot process.
Aug 28 10:40:47 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml
Aug 28 10:40:47 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml
Aug 28 10:40:45 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml
Aug 28 10:40:45 	php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:42 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:39 	upsd[61343]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550]
Aug 28 10:40:39 	upsmon[61581]: Startup successful
Aug 28 10:40:39 	upsd[61343]: Startup successful
Aug 28 10:40:39 	upsd[61014]: Connected to UPS [APC_Back-UPS_ES550]: usbhid-ups-APC_Back-UPS_ES550
Aug 28 10:40:39 	upsd[61014]: listening on 127.0.0.1 port 3493
Aug 28 10:40:39 	upsd[61014]: listening on ::1 port 3493
Aug 28 10:40:39 	usbhid-ups[60672]: Startup successful
Aug 28 10:40:37 	ntpd_intres[52667]: host name not found: 3.pool.ntp.org
Aug 28 10:40:37 	ntpd_intres[52667]: host name not found: 2.pool.ntp.org
Aug 28 10:40:37 	ntpd_intres[52667]: host name not found: 1.pool.ntp.org
Aug 28 10:40:37 	ntpd_intres[52667]: host name not found: 0.pool.ntp.org
Aug 28 10:40:36 	php: rc.filter_configure_sync: Message sent to cino@com OK
Aug 28 10:40:34 	usbhid-ups[46776]: Signal 15: exiting
Aug 28 10:40:34 	upsd[46865]: Signal 15: exiting
Aug 28 10:40:34 	upsd[46865]: mainloop: Interrupted system call
Aug 28 10:40:34 	upsd[46865]: User monuser@127.0.0.1 logged out from UPS [APC_Back-UPS_ES550]
Aug 28 10:40:34 	upsmon[46997]: Signal 15: exiting
Aug 28 10:40:31 	dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process.
Aug 28 10:40:31 	php: rc.filter_configure_sync: New alert found: There were error(s) loading the rules: pfctl: DIOCADDALTQ: Device busy - The line in question reads [0]:
Aug 28 10:40:30 	php: rc.linkup: The command '/sbin/ifconfig 'em3' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
Aug 28 10:40:30 	php: rc.linkup: HOTPLUG: Configuring interface wan
Aug 28 10:40:30 	php: rc.linkup: DEVD Ethernet attached event for wan
Aug 28 10:40:28 	kernel: rn_addmask: mask impossibly already in tree
Aug 28 10:40:28 	php: rc.linkup: ROUTING: setting IPv6 default route to 2001:470:x:x::1
Aug 28 10:40:28 	check_reload_status: updating dyndns wan
Aug 28 10:40:28 	php: rc.linkup: The command '/sbin/ifconfig gif0 tunnel x.x.161.14' returned exit code '1', the output was 'ifconfig: 'tunnel' requires 2 arguments'
Aug 28 10:40:28 	php: rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf em3 > /tmp/em3_output 2> /tmp/em3_error_output' returned exit code '15', the output was ''
Aug 28 10:40:28 	php: rc.linkup: DEVD Ethernet detached event for wan
Aug 28 10:40:27 	check_reload_status: Syncing firewall
Aug 28 10:40:27 	kernel: em3: link state changed to UP
Aug 28 10:40:27 	check_reload_status: Linkup starting em3
Aug 28 10:40:25 	dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process.
Aug 28 10:40:25 	php: rc.linkup: The command '/sbin/ifconfig 'em3' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
Aug 28 10:40:25 	php: rc.linkup: HOTPLUG: Configuring interface wan
Aug 28 10:40:25 	php: rc.linkup: DEVD Ethernet attached event for wan
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:24 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:23 	kernel: em3: link state changed to DOWN
Aug 28 10:40:23 	check_reload_status: Linkup starting em3
Aug 28 10:40:22 	kernel: em3: link state changed to UP
Aug 28 10:40:22 	check_reload_status: Linkup starting em3
Aug 28 10:40:22 	php: rc.linkup: ROUTING: setting IPv6 default route to 2001:470:x:x::1
Aug 28 10:40:22 	php: rc.linkup: The command '/sbin/ifconfig gif0 tunnel x.x.161.14' returned exit code '1', the output was 'ifconfig: 'tunnel' requires 2 arguments'
Aug 28 10:40:22 	php: rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf em3 > /tmp/em3_output 2> /tmp/em3_error_output' returned exit code '15', the output was ''
Aug 28 10:40:22 	php: rc.linkup: DEVD Ethernet detached event for wan
Aug 28 10:40:19 	kernel: em3: link state changed to DOWN
Aug 28 10:40:19 	check_reload_status: Linkup starting em3
Aug 28 10:40:19 	sshd[37303]: fatal: Write failed: Operation not permitted
Aug 28 10:40:19 	sshd[37303]: fatal: Write failed: Operation not permitted
Aug 28 10:40:19 	php: rc.start_packages: Restarting/Starting all packages.
Aug 28 10:40:17 	sshlockout[6346]: sshlockout/webConfigurator v3.0 starting up
Aug 28 10:40:17 	sshd[53059]: fatal: Write failed: Operation not permitted
Aug 28 10:40:17 	sshd[53059]: fatal: Write failed: Operation not permitted
Aug 28 10:40:16 	check_reload_status: Starting packages
Aug 28 10:40:16 	php: rc.newwanip: pfSense package system has detected an ip change 172.16.50.1 -> 172.16.50.1 ... Restarting packages.
Aug 28 10:40:14 	php: rc.newwanip: Creating rrd update script
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:11 	php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Aug 28 10:40:09 	php: rc.newwanip: rc.newwanip: on (IP address: 172.16.50.1) (interface: opt2) (real interface: ovpns2).
Aug 28 10:40:09 	php: rc.newwanip: rc.newwanip: Informational is starting ovpns2.
Aug 28 10:40:06 	check_reload_status: rc.newwanip starting ovpns2
Aug 28 10:40:06 	kernel: ovpns2: link state changed to UP
Aug 28 10:40:06 	kernel: ovpns2: link state changed to DOWN
Aug 28 10:40:06 	kernel: in6_purgeaddr: node-local all-nodesmulticast address deletion error
Aug 28 10:40:06 	php: rc.openvpn: OpenVPN: Resync server2 Site-to-Site VPN
Aug 28 10:40:06 	kernel: ovpns1: link state changed to DOWN
Aug 28 10:40:06 	kernel: arpresolve: can't allocate llinfo for x.x.208.1
Aug 28 10:40:05 	php: rc.openvpn: OpenVPN: Resync server1 Road Warrior OpenVPN
Aug 28 10:40:05 	php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
Aug 28 10:40:03 	check_reload_status: Reloading filter
Aug 28 10:40:03 	check_reload_status: Restarting OpenVPN tunnels/interfaces
Aug 28 10:40:03 	check_reload_status: Restarting ipsec tunnels
Aug 28 10:40:03 	check_reload_status: updating dyndns WAN_DHCP
Aug 28 10:39:55 	kernel: arpresolve: can't allocate llinfo for x.x.208.1
Aug 28 10:39:50 	check_reload_status: updating dyndns wan
Aug 28 10:39:47 	dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process.
Aug 28 10:39:47 	php: rc.linkup: The command '/sbin/ifconfig 'em3' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
Aug 28 10:39:47 	php: rc.linkup: HOTPLUG: Configuring interface wan
Aug 28 10:39:47 	php: rc.linkup: DEVD Ethernet attached event for wan
Aug 28 10:39:45 	kernel: arpresolve: can't allocate llinfo for x.x.208.1
Aug 28 10:39:45 	kernel: em3: link state changed to UP
Aug 28 10:39:45 	check_reload_status: Linkup starting em3
Aug 28 10:39:44 	php: rc.linkup: ROUTING: setting IPv6 default route to 2001:470:x:x::1
Aug 28 10:39:44 	php: rc.linkup: The command '/sbin/ifconfig gif0 tunnel x.x.161.14' returned exit code '1', the output was 'ifconfig: 'tunnel' requires 2 arguments'
Aug 28 10:39:44 	php: rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf em3 > /tmp/em3_output 2> /tmp/em3_error_output' returned exit code '15', the output was ''
Aug 28 10:39:44 	php: rc.linkup: DEVD Ethernet detached event for wan
Aug 28 10:39:42 	kernel: em3: link state changed to DOWN
Aug 28 10:39:42 	check_reload_status: Linkup starting em3
Aug 28 10:39:35 	kernel: arpresolve: can't allocate llinfo for x.x.208.1
Aug 28 10:39:31 	php: rc.linkup: The command '/sbin/ifconfig 'em3' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
Aug 28 10:39:31 	php: rc.linkup: HOTPLUG: Configuring interface wan
Aug 28 10:39:31 	php: rc.linkup: DEVD Ethernet attached event for wan
Aug 28 10:39:29 	php: rc.linkup: Clearing states to old gateway x.x.208.1.
Aug 28 10:39:29 	kernel: em3: link state changed to UP
Aug 28 10:39:29 	check_reload_status: Linkup starting em3
Aug 28 10:39:28 	php: rc.linkup: DEVD Ethernet detached event for wan
Aug 28 10:39:26 	kernel: em3: link state changed to DOWN
Aug 28 10:39:26 	check_reload_status: Linkup starting em3
Aug 28 10:29:46 	syslogd: kernel boot file is /boot/kernel/kernel

Snort Processes after WAN interface was bounced


root    4146  0.3  3.7 376720 114452  ??  SNs  10:42AM   0:01.01 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/et
root    8189  0.1  3.7 376720 114308  ??  SNs  10:43AM   0:01.03 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/et
root    7005  0.0  1.6 317552 48632  ??  SNs  10:43AM   0:00.36 /usr/pbi/snort-i386/bin/snort -R 59292 -D -q -l /var/log/snort/snort_em359292 --pid-path /var/run --nolock-pidfile -G 59292 -c /usr/pbi/snort-i386/et
root    9784  0.0  2.9 360560 91932  ??  SNs  10:43AM   0:00.69 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/s
root   11440  0.0  2.9 360560 92036  ??  SNs  10:43AM   0:00.70 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/s
root   70314  0.0  2.9 359584 91004  ??  SNs  10:42AM   0:00.07 /usr/pbi/snort-i386/bin/snort -R 63656 -D -q -l /var/log/snort/snort_em0_vlan563656 --pid-path /var/run --nolock-pidfile -G 63656 -c /usr/pbi/snort-i

snort_em360770 WAN Blocking
snort_em359292 WAN Alerting
snort_em25622 LAN Alerting
snort_em0_vlan563656 Guest WiFi Alerting

Stephen

bmeeks · Aug 29, 2013, 12:16 AM

@Cino:

Bill,

For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be

Stephen

Thanks! These logs sure do help. I'm thinking VLANs are somehow the culprit. I don't have any defined on my systems, and I do not see the multiple processes. So far, the folks who are seeing multiple processes (too many processes, actually), all seem to have VLANs defined on their Snort interfaces. I'm taking that as a good indicator of where to start looking… ;)

Bill

Cino · Aug 29, 2013, 1:21 AM

@bmeeks:

@Cino:

Bill,

For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be

Stephen

Thanks! These logs sure do help. I'm thinking VLANs are somehow the culprit. I don't have any defined on my systems, and I do not see the multiple processes. So far, the folks who are seeing multiple processes (too many processes, actually), all seem to have VLANs defined on their Snort interfaces. I'm taking that as a good indicator of where to start looking… ;)

Bill

Your welcome and thank you for many updates to this fine package.. Only 1 of my sensors is a vlan.. I'm going to disable it and see if that changes anything… If that doesn't, i'll remove the config... Can't remove the vlan interface itself without redoing a lot of work so it will have to stay

gogol · Aug 29, 2013, 8:44 AM

@gogol:

To resume:

The boot process is interfering with Snort Startup in my opinion or the other way around.

rc.newwanip detects an ip change while there isn't one and triggers a restart packages while Snort is starting, which takes a while

check_reload_status is also Starting Packages

Sometimes there is the -E argument instead of the -D in the process.

I believe it is still under investigation. And I don't have VLAN's.

My opinion is that Snort is starting up, no PID file until the process is completely started. In the meanwhile another Snort start is invoked by a script and no PID file is detected, so the first process is not stopped and a new Snort process is started.

Cino · Aug 29, 2013, 10:32 AM

Even tho I've disabled a sensor.. I still see a process for it when I reboot my box… The GUI tells me its disabled, but ps -ax shows me its running... I've seen this before when en/disabling rules... I would enable a a few rules then later turn them off to find that they weren't disabled.. Only work around i've found is to remove the package and re-install so it will read the config.xml and generate fresh config files

pfSenseRocks · Sep 8, 2013, 5:00 PM

So I bought me a dual gigabit NIC. I now have WAN, LAN and the Guest LAN on three physical NICs as opposed to VLANs. I still have the same problem with multiple snort processes all on the same interface. I am clueless. Please help!

At start up


[2.1-RC2][admin@sense.home]/root(2): ps -ax | grep snort
33426  ??  IWN    0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start
34178  ??  DNL    6:45.45 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0
62838  ??  IWN    0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start
64327  ??  DNL    6:25.72 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0
54725  v0- IW     0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start
57256  v0- R      6:32.50 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0
48672   0  DL+    0:00.00 grep snort
[2.1-RC2][admin@sense.home]/root(3):

After executing killing these processes and manually restarting…


[2.1-RC2][admin@sense.home]/root(5): ps -ax | grep snort
  715  ??  Ss     0:00.08 /usr/pbi/snort-amd64/bin/snort -R 22796 -D -q -l /var/log/snort/snort_re122796 --pid-path /var/run --nolock-pidfile -G 22796 -c /usr/pbi/snort-amd64/etc/snort/snort_22796_re1/snort.conf -i re1
51274  ??  Ss     0:04.80 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0
73396  ??  Ss     0:00.66 /usr/pbi/snort-amd64/bin/snort -R 26667 -D -q -l /var/log/snort/snort_re026667 --pid-path /var/run --nolock-pidfile -G 26667 -c /usr/pbi/snort-amd64/etc/snort/snort_26667_re0/snort.conf -i re0
68790   0  S+     0:00.00 grep snort
[2.1-RC2][admin@sense.home]/root(6):

bmeeks · Sep 8, 2013, 10:25 PM

@pfSenseRocks:

So I bought me a dual gigabit NIC. I now have WAN, LAN and the Guest LAN on three physical NICs as opposed to VLANs. I still have the same problem with multiple snort processes all on the same interface. I am clueless. Please help!

At start up


[2.1-RC2][admin@sense.home]/root(2): ps -ax | grep snort
33426  ??  IWN    0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start
34178  ??  DNL    6:45.45 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0
62838  ??  IWN    0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start
64327  ??  DNL    6:25.72 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0
54725  v0- IW     0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start
57256  v0- R      6:32.50 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0
48672   0  DL+    0:00.00 grep snort
[2.1-RC2][admin@sense.home]/root(3):

After executing killing these processes and manually restarting…


[2.1-RC2][admin@sense.home]/root(5): ps -ax | grep snort
  715  ??  Ss     0:00.08 /usr/pbi/snort-amd64/bin/snort -R 22796 -D -q -l /var/log/snort/snort_re122796 --pid-path /var/run --nolock-pidfile -G 22796 -c /usr/pbi/snort-amd64/etc/snort/snort_22796_re1/snort.conf -i re1
51274  ??  Ss     0:04.80 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0
73396  ??  Ss     0:00.66 /usr/pbi/snort-amd64/bin/snort -R 26667 -D -q -l /var/log/snort/snort_re026667 --pid-path /var/run --nolock-pidfile -G 26667 -c /usr/pbi/snort-amd64/etc/snort/snort_26667_re0/snort.conf -i re0
68790   0  S+     0:00.00 grep snort
[2.1-RC2][admin@sense.home]/root(6):

I'm still looking into this. Thus far I can't reproduce the problem in my VMware test setup, so it's still a bit of a mystery as to the root cause. I am not throwing in the towel yet, though.

Bill

pfSenseRocks · Sep 8, 2013, 11:48 PM

Thanks Bill! How can I help?

pfSenseRocks · Sep 8, 2013, 11:55 PM

Attaching a few screenshots of my snort configuration.

Supermule · Sep 9, 2013, 1:45 AM

Hi Bill

I run a bunch of VLANS's and dont have this issue.

@bmeeks:

@Cino:

Bill,

For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be

Stephen

Thanks! These logs sure do help. I'm thinking VLANs are somehow the culprit. I don't have any defined on my systems, and I do not see the multiple processes. So far, the folks who are seeing multiple processes (too many processes, actually), all seem to have VLANs defined on their Snort interfaces. I'm taking that as a good indicator of where to start looking… ;)

Bill

bmeeks · Sep 9, 2013, 9:44 PM

@Supermule:

Hi Bill

I run a bunch of VLANS's and dont have this issue.

Thanks for the feedback Brian. This a peculiar bug that does not seem to be easily reproduced. For the folks that have it, they are reporting it is 100% reproducible on their systems. For other systems…??

Bill

bmeeks · Sep 9, 2013, 9:50 PM

@pfSenseRocks:

Thanks Bill! How can I help?

Thanks for the screenshots. I also sent you a PM asking for a little more information if you can share it.

Bill

pfSenseRocks · Sep 10, 2013, 5:49 PM

Done! Let me know when you receive it. Also, let me know if I can provide any other information.