Snort 2.9.4.6 Pkg v 2.5.9
-
Bill,
For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be
GW Log
Aug 28 10:41:13 apinger: SIGHUP received, reloading configuration. Aug 28 10:41:13 apinger: SIGHUP received, reloading configuration. Aug 28 10:40:58 apinger: SIGHUP received, reloading configuration. Aug 28 10:40:09 apinger: alarm canceled (config reload): WAN_DHCP(X.X.208.1) *** WAN_DHCPdown *** Aug 28 10:40:09 apinger: SIGHUP received, reloading configuration. Aug 28 10:39:53 apinger: ALARM: WAN_DHCP(X.X.208.1) *** WAN_DHCPdown ***System Log
Aug 28 10:47:25 sshd[6872]: Accepted keyboard-interactive/pam for root from 192.168.200.6 port 28523 ssh2 Aug 28 10:43:28 SnortStartup[11968]: Snort SOFT RESTART for WLAN Guest Alerting(63656_em0_vlan5)... Aug 28 10:43:22 SnortStartup[10757]: Snort SOFT RESTART for WLAN Guest Alerting(63656_em0_vlan5)... Aug 28 10:43:19 kernel: em2: promiscuous mode enabled Aug 28 10:43:11 SnortStartup[9674]: Snort START for LAN Alerting(5622_em2)... Aug 28 10:43:09 SnortStartup[8925]: Snort SOFT RESTART for WAN Alerting(59292_em3)... Aug 28 10:43:02 SnortStartup[7961]: Snort START for LAN Alerting(5622_em2)... Aug 28 10:42:58 SnortStartup[6717]: Snort START for WAN Alerting(59292_em3)... Aug 28 10:42:57 kernel: em3: promiscuous mode enabled Aug 28 10:42:45 SnortStartup[67423]: Snort START for WAN Blocking(60770_em3)... Aug 28 10:42:38 kernel: em2: promiscuous mode disabled Aug 28 10:42:37 snort[9920]: *** Caught Term-Signal Aug 28 10:42:36 SnortStartup[64481]: Snort STOP for LAN Alerting(5622_em2)... Aug 28 10:42:33 SnortStartup[60383]: Snort START for WAN Blocking(60770_em3)... Aug 28 10:42:31 SnortStartup[57262]: Snort START for WLAN Guest Alerting(63656_em0_vlan5)... Aug 28 10:42:28 kernel: em2: promiscuous mode enabled Aug 28 10:42:24 kernel: em3: promiscuous mode disabled Aug 28 10:42:24 snort[73635]: *** Caught Term-Signal Aug 28 10:42:23 SnortStartup[5755]: Snort STOP for WAN Alerting(59292_em3)... Aug 28 10:42:20 bandwidthd: Drawing initial graphs Aug 28 10:42:20 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:20 bandwidthd: Drawing initial graphs Aug 28 10:42:20 bandwidthd: Opening em2 Aug 28 10:42:20 bandwidthd: Finished recovering 8648 records Aug 28 10:42:20 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:20 bandwidthd: Opening em2 Aug 28 10:42:20 bandwidthd: Finished recovering 1761 records Aug 28 10:42:20 bandwidthd: Recovering from log.1.0.cdf Aug 28 10:42:20 bandwidthd: Finished recovering 4016 records Aug 28 10:42:20 bandwidthd: Recovering from log.1.1.cdf Aug 28 10:42:20 bandwidthd: Finished recovering 4015 records Aug 28 10:42:20 bandwidthd: Recovering from log.2.0.cdf Aug 28 10:42:20 bandwidthd: Finished recovering 1131 records Aug 28 10:42:20 bandwidthd: Drawing initial graphs Aug 28 10:42:20 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:20 bandwidthd: Opening em2 Aug 28 10:42:20 bandwidthd: Drawing initial graphs Aug 28 10:42:20 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:20 bandwidthd: Finished recovering 123 records Aug 28 10:42:20 bandwidthd: Opening em2 Aug 28 10:42:20 bandwidthd: Recovering from log.4.0.cdf Aug 28 10:42:20 bandwidthd: Finished recovering 2696 records Aug 28 10:42:20 bandwidthd: Recovering from log.2.1.cdf Aug 28 10:42:20 bandwidthd: Finished recovering 1208 records Aug 28 10:42:20 bandwidthd: Recovering from log.1.2.cdf Aug 28 10:42:20 bandwidthd: Recovering from log.3.0.cdf Aug 28 10:42:20 bandwidthd: Recovering from log.2.2.cdf Aug 28 10:42:20 bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0 Aug 28 10:42:20 bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0 Aug 28 10:42:19 snort[63368]: *** Caught Term-Signal Aug 28 10:42:18 SnortStartup[1275]: Snort STOP for WAN Blocking(60770_em3)... Aug 28 10:42:18 bandwidthd: Finished recovering 2696 records Aug 28 10:42:18 bandwidthd: Recovering from log.2.1.cdf Aug 28 10:42:18 bandwidthd: Finished recovering 1208 records Aug 28 10:42:18 bandwidthd: Drawing initial graphs Aug 28 10:42:18 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:18 bandwidthd: Opening em2 Aug 28 10:42:18 bandwidthd: Finished recovering 123 records Aug 28 10:42:18 bandwidthd: Recovering from log.3.0.cdf Aug 28 10:42:18 bandwidthd: Recovering from log.4.0.cdf Aug 28 10:42:18 bandwidthd: Recovering from log.1.2.cdf Aug 28 10:42:18 bandwidthd: Recovering from log.2.2.cdf Aug 28 10:42:18 bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0 Aug 28 10:42:18 bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0 Aug 28 10:42:16 php: rc.start_packages: The command '/usr/local/etc/rc.d/bandwidthd.sh stop' returned exit code '1', the output was 'No matching processes were found' Aug 28 10:42:14 squid[78388]: Squid Parent: (squid-1) process 78602 started Aug 28 10:42:14 squid[78388]: Squid Parent: will start 1 kids Aug 28 10:42:14 squid[77880]: Squid Parent: (squid-1) process 78063 started Aug 28 10:42:13 squid[77880]: Squid Parent: will start 1 kids Aug 28 10:42:11 squid[57908]: Squid Parent: (squid-1) process 58242 exited with status 0 Aug 28 10:42:10 squid[60746]: Squid Parent: (squid-1) process 61166 exited with status 0 Aug 28 10:42:10 SnortStartup[74072]: Snort START for LAN Alerting(5622_em2)... Aug 28 10:42:07 bandwidthd: Drawing initial graphs Aug 28 10:42:07 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:07 bandwidthd: Opening em2 Aug 28 10:42:07 bandwidthd: Finished recovering 8648 records Aug 28 10:42:07 bandwidthd: Drawing initial graphs Aug 28 10:42:07 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:07 bandwidthd: Opening em2 Aug 28 10:42:07 bandwidthd: Finished recovering 1761 records Aug 28 10:42:07 bandwidthd: Recovering from log.1.0.cdf Aug 28 10:42:07 bandwidthd: Finished recovering 4016 records Aug 28 10:42:07 bandwidthd: Recovering from log.2.0.cdf Aug 28 10:42:07 bandwidthd: Finished recovering 1131 records Aug 28 10:42:07 bandwidthd: Drawing initial graphs Aug 28 10:42:07 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:07 bandwidthd: Opening em2 Aug 28 10:42:07 bandwidthd: Finished recovering 123 records Aug 28 10:42:07 bandwidthd: Recovering from log.2.1.cdf Aug 28 10:42:07 bandwidthd: Finished recovering 1208 records Aug 28 10:42:07 bandwidthd: Recovering from log.1.1.cdf Aug 28 10:42:07 bandwidthd: Finished recovering 4015 records Aug 28 10:42:07 bandwidthd: Recovering from log.2.2.cdf Aug 28 10:42:07 bandwidthd: Drawing initial graphs Aug 28 10:42:07 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:07 bandwidthd: Opening em2 Aug 28 10:42:07 bandwidthd: Finished recovering 2696 records Aug 28 10:42:07 bandwidthd: Recovering from log.4.0.cdf Aug 28 10:42:07 bandwidthd: Recovering from log.3.0.cdf Aug 28 10:42:07 bandwidthd: Recovering from log.1.2.cdf Aug 28 10:42:07 bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0 Aug 28 10:42:07 bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0 Aug 28 10:42:06 SnortStartup[70343]: Snort START for WAN Alerting(59292_em3)... Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: Not calling package sync code for dependency squidreverse of squid3-dev because some include files are missing. Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:06 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:42:05 bandwidthd: Drawing initial graphs Aug 28 10:42:05 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:05 bandwidthd: Opening em2 Aug 28 10:42:05 bandwidthd: Finished recovering 2696 records Aug 28 10:42:05 bandwidthd: Recovering from log.2.1.cdf Aug 28 10:42:05 bandwidthd: Finished recovering 1208 records Aug 28 10:42:05 bandwidthd: Recovering from log.2.2.cdf Aug 28 10:42:05 bandwidthd: Drawing initial graphs Aug 28 10:42:05 bandwidthd: Packet Encoding: Ethernet Aug 28 10:42:05 bandwidthd: Opening em2 Aug 28 10:42:05 bandwidthd: Finished recovering 123 records Aug 28 10:42:05 bandwidthd: Recovering from log.4.0.cdf Aug 28 10:42:05 bandwidthd: Recovering from log.1.2.cdf Aug 28 10:42:05 bandwidthd: Recovering from log.3.0.cdf Aug 28 10:42:05 bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0 Aug 28 10:42:05 bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0 Aug 28 10:42:04 kernel: em3: promiscuous mode enabled Aug 28 10:42:03 php: rc.start_packages: The command '/usr/local/etc/rc.d/bandwidthd.sh stop' returned exit code '1', the output was 'No matching processes were found' Aug 28 10:42:03 check_reload_status: Syncing firewall Aug 28 10:42:01 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml Aug 28 10:42:01 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml Aug 28 10:42:01 squid[60746]: Squid Parent: (squid-1) process 61166 started Aug 28 10:42:01 squid[60746]: Squid Parent: will start 1 kids Aug 28 10:42:01 squid[57908]: Squid Parent: (squid-1) process 58242 started Aug 28 10:42:01 squid[57908]: Squid Parent: will start 1 kids Aug 28 10:42:00 upsmon[42711]: Communications with UPS APC_Back-UPS_ES550@localhost established Aug 28 10:42:00 upsd[42078]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550] Aug 28 10:41:59 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:59 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:59 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:59 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:58 squid[33548]: Squid Parent: (squid-1) process 33781 exited with status 0 Aug 28 10:41:58 squid[32797]: Squid Parent: (squid-1) process 33693 exited with status 0 Aug 28 10:41:57 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml Aug 28 10:41:57 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml Aug 28 10:41:55 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml Aug 28 10:41:55 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml Aug 28 10:41:55 upsmon[42711]: Communications with UPS APC_Back-UPS_ES550@localhost lost Aug 28 10:41:55 upsmon[42711]: Poll UPS [APC_Back-UPS_ES550@localhost] failed - Write error: Operation not permitted Aug 28 10:41:54 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:54 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:54 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:54 php: rc.start_packages: Not calling package sync code for dependency squidreverse of squid3-dev because some include files are missing. Aug 28 10:41:54 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:53 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:41:50 upsd[42078]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550] Aug 28 10:41:50 upsmon[42403]: Startup successful Aug 28 10:41:50 upsd[42078]: Startup successful Aug 28 10:41:50 upsd[41895]: Connected to UPS [APC_Back-UPS_ES550]: usbhid-ups-APC_Back-UPS_ES550 Aug 28 10:41:50 upsd[41895]: listening on 127.0.0.1 port 3493 Aug 28 10:41:50 upsd[41895]: listening on ::1 port 3493 Aug 28 10:41:50 usbhid-ups[41650]: Startup successful Aug 28 10:41:49 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml Aug 28 10:41:49 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml Aug 28 10:41:47 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:47 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:47 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:47 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:41:45 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml Aug 28 10:41:45 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml Aug 28 10:41:44 usbhid-ups[81311]: Signal 15: exiting Aug 28 10:41:44 upsd[81483]: Signal 15: exiting Aug 28 10:41:44 upsd[81483]: mainloop: Interrupted system call Aug 28 10:41:43 upsd[81483]: User monuser@127.0.0.1 logged out from UPS [APC_Back-UPS_ES550] Aug 28 10:41:43 upsmon[82138]: Signal 15: exiting Aug 28 10:41:43 kernel: em0_vlan5: promiscuous mode enabled Aug 28 10:41:43 kernel: em0: promiscuous mode enabled Aug 28 10:41:42 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml Aug 28 10:41:42 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml Aug 28 10:41:41 SnortStartup[91233]: Snort START for WAN Blocking(60770_em3)... Aug 28 10:41:41 kernel: em0_vlan5: promiscuous mode disabled Aug 28 10:41:41 kernel: em0: promiscuous mode disabled Aug 28 10:41:37 upsd[81483]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550] Aug 28 10:41:37 upsmon[81868]: Startup successful Aug 28 10:41:37 upsd[81483]: Startup successful Aug 28 10:41:37 upsd[81321]: Connected to UPS [APC_Back-UPS_ES550]: usbhid-ups-APC_Back-UPS_ES550 Aug 28 10:41:37 upsd[81321]: listening on 127.0.0.1 port 3493 Aug 28 10:41:37 upsd[81321]: listening on ::1 port 3493 Aug 28 10:41:37 usbhid-ups[81311]: Startup successful Aug 28 10:41:36 check_reload_status: Syncing firewall Aug 28 10:41:36 snort[81642]: *** Caught Term-Signal Aug 28 10:41:35 SnortStartup[78667]: Snort STOP for WLAN Guest Alerting(63656_em0_vlan5)... Aug 28 10:41:32 usbhid-ups[60672]: Signal 15: exiting Aug 28 10:41:32 upsd[61343]: Signal 15: exiting Aug 28 10:41:32 upsd[61343]: mainloop: Interrupted system call Aug 28 10:41:32 upsd[61343]: User monuser@127.0.0.1 logged out from UPS [APC_Back-UPS_ES550] Aug 28 10:41:32 upsmon[61642]: Signal 15: exiting Aug 28 10:41:31 kernel: em2: promiscuous mode disabled Aug 28 10:41:31 snort[57737]: *** Caught Term-Signal Aug 28 10:41:31 SnortStartup[67098]: Snort STOP for LAN Alerting(5622_em2)... Aug 28 10:41:28 php: rc.start_packages: Restarting/Starting all packages. Aug 28 10:41:28 kernel: em3: promiscuous mode disabled Aug 28 10:41:28 snort[56544]: *** Caught Term-Signal Aug 28 10:41:27 SnortStartup[59861]: Snort STOP for WAN Alerting(59292_em3)... Aug 28 10:41:24 snort[53396]: *** Caught Term-Signal Aug 28 10:41:23 SnortStartup[56750]: Snort STOP for WAN Blocking(60770_em3)... Aug 28 10:41:21 php: rc.newwanip: pfSense package system has detected an ip change 172.16.50.1 -> 172.16.50.1 ... Restarting packages. Aug 28 10:41:21 php: rc.newwanip: pfSense package system has detected an ip change 192.168.200.1 -> 192.168.200.1 ... Restarting packages. Aug 28 10:41:19 php: rc.newwanip: Creating rrd update script Aug 28 10:41:18 php: rc.newwanip: Creating rrd update script Aug 28 10:41:15 php: rc.start_packages: Restarting/Starting all packages. Aug 28 10:41:13 php: rc.newwanip: rc.newwanip: on (IP address: 172.16.50.1) (interface: opt2) (real interface: ovpns2). Aug 28 10:41:13 php: rc.newwanip: rc.newwanip: Informational is starting ovpns2. Aug 28 10:41:13 php: rc.newwanip: rc.newwanip: on (IP address: 192.168.200.1) (interface: opt1) (real interface: ovpns1). Aug 28 10:41:13 php: rc.newwanip: rc.newwanip: Informational is starting ovpns1. Aug 28 10:41:13 ntpd_intres[52667]: ntpd exiting on signal 15 Aug 28 10:41:12 check_reload_status: Starting packages Aug 28 10:41:12 php: rc.newwanip: pfSense package system has detected an ip change x.x.210.112 -> x.x.210.112 ... Restarting packages. Aug 28 10:41:10 check_reload_status: rc.newwanip starting ovpns2 Aug 28 10:41:10 kernel: ovpns2: link state changed to UP Aug 28 10:41:10 bandwidthd: Drawing initial graphs Aug 28 10:41:10 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:10 bandwidthd: Opening em2 Aug 28 10:41:10 php: rc.newwanip: Creating rrd update script Aug 28 10:41:10 bandwidthd: Finished recovering 1761 records Aug 28 10:41:10 bandwidthd: Drawing initial graphs Aug 28 10:41:10 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:10 bandwidthd: Opening em2 Aug 28 10:41:10 bandwidthd: Finished recovering 8648 records Aug 28 10:41:10 bandwidthd: Recovering from log.1.0.cdf Aug 28 10:41:10 bandwidthd: Finished recovering 4016 records Aug 28 10:41:10 bandwidthd: Recovering from log.1.1.cdf Aug 28 10:41:10 bandwidthd: Finished recovering 4015 records Aug 28 10:41:10 bandwidthd: Drawing initial graphs Aug 28 10:41:10 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:10 bandwidthd: Opening em2 Aug 28 10:41:10 bandwidthd: Finished recovering 2696 records Aug 28 10:41:10 bandwidthd: Recovering from log.2.0.cdf Aug 28 10:41:10 bandwidthd: Finished recovering 1131 records Aug 28 10:41:10 bandwidthd: Recovering from log.2.1.cdf Aug 28 10:41:10 bandwidthd: Finished recovering 1208 records Aug 28 10:41:10 bandwidthd: Drawing initial graphs Aug 28 10:41:10 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:10 bandwidthd: Opening em2 Aug 28 10:41:10 bandwidthd: Finished recovering 123 records Aug 28 10:41:10 bandwidthd: Recovering from log.1.2.cdf Aug 28 10:41:10 bandwidthd: Recovering from log.4.0.cdf Aug 28 10:41:10 bandwidthd: Recovering from log.2.2.cdf Aug 28 10:41:10 bandwidthd: Recovering from log.3.0.cdf Aug 28 10:41:10 bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0 Aug 28 10:41:10 bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0 Aug 28 10:41:10 check_reload_status: rc.newwanip starting ovpns1 Aug 28 10:41:10 kernel: ovpns2: link state changed to DOWN Aug 28 10:41:10 kernel: in6_purgeaddr: node-local all-nodesmulticast address deletion error Aug 28 10:41:10 kernel: ovpns1: link state changed to UP Aug 28 10:41:10 check_reload_status: Reloading filter Aug 28 10:41:10 php: rc.newwanip: Resyncing OpenVPN instances for interface WAN. Aug 28 10:41:08 bandwidthd: Drawing initial graphs Aug 28 10:41:08 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:08 bandwidthd: Opening em2 Aug 28 10:41:08 bandwidthd: Finished recovering 8648 records Aug 28 10:41:08 bandwidthd: Drawing initial graphs Aug 28 10:41:08 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:08 bandwidthd: Opening em2 Aug 28 10:41:08 bandwidthd: Drawing initial graphs Aug 28 10:41:08 bandwidthd: Finished recovering 1761 records Aug 28 10:41:08 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:08 bandwidthd: Recovering from log.1.0.cdf Aug 28 10:41:08 bandwidthd: Opening em2 Aug 28 10:41:08 bandwidthd: Finished recovering 4016 records Aug 28 10:41:08 bandwidthd: Finished recovering 2696 records Aug 28 10:41:08 bandwidthd: Recovering from log.1.1.cdf Aug 28 10:41:08 bandwidthd: Recovering from log.3.0.cdf Aug 28 10:41:08 bandwidthd: Finished recovering 4015 records Aug 28 10:41:08 bandwidthd: Drawing initial graphs Aug 28 10:41:08 bandwidthd: Packet Encoding: Ethernet Aug 28 10:41:08 bandwidthd: Opening em2 Aug 28 10:41:08 bandwidthd: Finished recovering 123 records Aug 28 10:41:08 bandwidthd: Recovering from log.4.0.cdf Aug 28 10:41:08 bandwidthd: Recovering from log.2.0.cdf Aug 28 10:41:08 bandwidthd: Finished recovering 1131 records Aug 28 10:41:08 bandwidthd: Recovering from log.2.1.cdf Aug 28 10:41:08 bandwidthd: Finished recovering 1208 records Aug 28 10:41:08 bandwidthd: Recovering from log.1.2.cdf Aug 28 10:41:08 bandwidthd: Recovering from log.2.2.cdf Aug 28 10:41:08 bandwidthd: Monitoring subnet 192.168.5.0 with netmask 192.168.5.0 Aug 28 10:41:08 bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0 Aug 28 10:41:08 php: rc.start_packages: The command '/usr/local/etc/rc.d/bandwidthd.sh stop' returned exit code '1', the output was 'No matching processes were found' Aug 28 10:41:06 php: rc.start_packages: The command '/usr/local/etc/rc.d/bandwidthd.sh stop' returned exit code '1', the output was 'No matching processes were found' Aug 28 10:41:06 check_reload_status: Syncing firewall Aug 28 10:41:05 lighttpd[21678]: (connections.c.305) SSL: 1 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Aug 28 10:41:04 squid[33548]: Squid Parent: (squid-1) process 33781 started Aug 28 10:41:04 squid[32797]: Squid Parent: (squid-1) process 33693 started Aug 28 10:41:04 squid[33548]: Squid Parent: will start 1 kids Aug 28 10:41:04 squid[32797]: Squid Parent: will start 1 kids Aug 28 10:41:01 php: rc.start_packages: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '' Aug 28 10:41:01 squid[80084]: Squid Parent: (squid-1) process 80621 exited with status 0 Aug 28 10:41:01 check_reload_status: updating dyndns wan Aug 28 10:41:01 squid[80808]: Squid Parent: (squid-1) process 81403 exited with status 0 Aug 28 10:40:59 dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process. Aug 28 10:40:58 php: rc.newwanip: ROUTING: setting default route to x.x.208.1 Aug 28 10:40:58 php: rc.newwanip: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:58 kernel: in6_purgeaddr: link-local all-nodesmulticast address deletion error Aug 28 10:40:58 php: rc.newwanip: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:58 php: rc.newwanip: The command '/sbin/ifconfig 'gif0' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Aug 28 10:40:58 php: rc.newwanip: The command '/sbin/ifconfig 'gif0' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Aug 28 10:40:58 php: rc.newwanip: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:58 dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process. Aug 28 10:40:58 kernel: in6_purgeaddr: link-local all-nodesmulticast address deletion error Aug 28 10:40:58 kernel: in6_purgeaddr: link-local all-nodesmulticast address deletion error Aug 28 10:40:58 php: rc.newwanip: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:58 php: rc.newwanip: rc.newwanip: on (IP address: x.x.210.112) (interface: wan) (real interface: em3). Aug 28 10:40:58 php: rc.newwanip: rc.newwanip: Informational is starting em3. Aug 28 10:40:57 lighttpd[21678]: (connections.c.305) SSL: 1 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: Not calling package sync code for dependency squidreverse of squid3-dev because some include files are missing. Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 php: rc.linkup: ROUTING: setting default route to x.x.208.1 Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 kernel: if_rtdel: error 3 Aug 28 10:40:56 kernel: in6_purgeaddr: link-local all-nodesmulticast address deletion error Aug 28 10:40:56 kernel: Aug 28 10:40:56 php: rc.linkup: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:56 check_reload_status: rc.newwanip starting em3 Aug 28 10:40:56 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:55 php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no Aug 28 10:40:54 upsmon[61642]: Communications with UPS APC_Back-UPS_ES550@localhost established Aug 28 10:40:54 upsd[61343]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550] Aug 28 10:40:51 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml Aug 28 10:40:51 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/ipmitool.xml Aug 28 10:40:49 upsmon[61642]: Communications with UPS APC_Back-UPS_ES550@localhost lost Aug 28 10:40:49 upsmon[61642]: Poll UPS [APC_Back-UPS_ES550@localhost] failed - Write error: Operation not permitted Aug 28 10:40:49 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:40:49 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:40:49 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:40:49 php: rc.start_packages: No pfBlocker action during boot process. Aug 28 10:40:47 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml Aug 28 10:40:47 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/urlsnarf.xml Aug 28 10:40:45 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml Aug 28 10:40:45 php: rc.start_packages: XML error: SYSTEM or PUBLIC, the URI is missing at line 1 in /usr/local/pkg/iftop.xml Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:42 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:39 upsd[61343]: User monuser@127.0.0.1 logged into UPS [APC_Back-UPS_ES550] Aug 28 10:40:39 upsmon[61581]: Startup successful Aug 28 10:40:39 upsd[61343]: Startup successful Aug 28 10:40:39 upsd[61014]: Connected to UPS [APC_Back-UPS_ES550]: usbhid-ups-APC_Back-UPS_ES550 Aug 28 10:40:39 upsd[61014]: listening on 127.0.0.1 port 3493 Aug 28 10:40:39 upsd[61014]: listening on ::1 port 3493 Aug 28 10:40:39 usbhid-ups[60672]: Startup successful Aug 28 10:40:37 ntpd_intres[52667]: host name not found: 3.pool.ntp.org Aug 28 10:40:37 ntpd_intres[52667]: host name not found: 2.pool.ntp.org Aug 28 10:40:37 ntpd_intres[52667]: host name not found: 1.pool.ntp.org Aug 28 10:40:37 ntpd_intres[52667]: host name not found: 0.pool.ntp.org Aug 28 10:40:36 php: rc.filter_configure_sync: Message sent to cino@com OK Aug 28 10:40:34 usbhid-ups[46776]: Signal 15: exiting Aug 28 10:40:34 upsd[46865]: Signal 15: exiting Aug 28 10:40:34 upsd[46865]: mainloop: Interrupted system call Aug 28 10:40:34 upsd[46865]: User monuser@127.0.0.1 logged out from UPS [APC_Back-UPS_ES550] Aug 28 10:40:34 upsmon[46997]: Signal 15: exiting Aug 28 10:40:31 dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process. Aug 28 10:40:31 php: rc.filter_configure_sync: New alert found: There were error(s) loading the rules: pfctl: DIOCADDALTQ: Device busy - The line in question reads [0]: Aug 28 10:40:30 php: rc.linkup: The command '/sbin/ifconfig 'em3' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Aug 28 10:40:30 php: rc.linkup: HOTPLUG: Configuring interface wan Aug 28 10:40:30 php: rc.linkup: DEVD Ethernet attached event for wan Aug 28 10:40:28 kernel: rn_addmask: mask impossibly already in tree Aug 28 10:40:28 php: rc.linkup: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:28 check_reload_status: updating dyndns wan Aug 28 10:40:28 php: rc.linkup: The command '/sbin/ifconfig gif0 tunnel x.x.161.14' returned exit code '1', the output was 'ifconfig: 'tunnel' requires 2 arguments' Aug 28 10:40:28 php: rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf em3 > /tmp/em3_output 2> /tmp/em3_error_output' returned exit code '15', the output was '' Aug 28 10:40:28 php: rc.linkup: DEVD Ethernet detached event for wan Aug 28 10:40:27 check_reload_status: Syncing firewall Aug 28 10:40:27 kernel: em3: link state changed to UP Aug 28 10:40:27 check_reload_status: Linkup starting em3 Aug 28 10:40:25 dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process. Aug 28 10:40:25 php: rc.linkup: The command '/sbin/ifconfig 'em3' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Aug 28 10:40:25 php: rc.linkup: HOTPLUG: Configuring interface wan Aug 28 10:40:25 php: rc.linkup: DEVD Ethernet attached event for wan Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:24 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:23 kernel: em3: link state changed to DOWN Aug 28 10:40:23 check_reload_status: Linkup starting em3 Aug 28 10:40:22 kernel: em3: link state changed to UP Aug 28 10:40:22 check_reload_status: Linkup starting em3 Aug 28 10:40:22 php: rc.linkup: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:40:22 php: rc.linkup: The command '/sbin/ifconfig gif0 tunnel x.x.161.14' returned exit code '1', the output was 'ifconfig: 'tunnel' requires 2 arguments' Aug 28 10:40:22 php: rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf em3 > /tmp/em3_output 2> /tmp/em3_error_output' returned exit code '15', the output was '' Aug 28 10:40:22 php: rc.linkup: DEVD Ethernet detached event for wan Aug 28 10:40:19 kernel: em3: link state changed to DOWN Aug 28 10:40:19 check_reload_status: Linkup starting em3 Aug 28 10:40:19 sshd[37303]: fatal: Write failed: Operation not permitted Aug 28 10:40:19 sshd[37303]: fatal: Write failed: Operation not permitted Aug 28 10:40:19 php: rc.start_packages: Restarting/Starting all packages. Aug 28 10:40:17 sshlockout[6346]: sshlockout/webConfigurator v3.0 starting up Aug 28 10:40:17 sshd[53059]: fatal: Write failed: Operation not permitted Aug 28 10:40:17 sshd[53059]: fatal: Write failed: Operation not permitted Aug 28 10:40:16 check_reload_status: Starting packages Aug 28 10:40:16 php: rc.newwanip: pfSense package system has detected an ip change 172.16.50.1 -> 172.16.50.1 ... Restarting packages. Aug 28 10:40:14 php: rc.newwanip: Creating rrd update script Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (opt1). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:11 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan). Aug 28 10:40:09 php: rc.newwanip: rc.newwanip: on (IP address: 172.16.50.1) (interface: opt2) (real interface: ovpns2). Aug 28 10:40:09 php: rc.newwanip: rc.newwanip: Informational is starting ovpns2. Aug 28 10:40:06 check_reload_status: rc.newwanip starting ovpns2 Aug 28 10:40:06 kernel: ovpns2: link state changed to UP Aug 28 10:40:06 kernel: ovpns2: link state changed to DOWN Aug 28 10:40:06 kernel: in6_purgeaddr: node-local all-nodesmulticast address deletion error Aug 28 10:40:06 php: rc.openvpn: OpenVPN: Resync server2 Site-to-Site VPN Aug 28 10:40:06 kernel: ovpns1: link state changed to DOWN Aug 28 10:40:06 kernel: arpresolve: can't allocate llinfo for x.x.208.1 Aug 28 10:40:05 php: rc.openvpn: OpenVPN: Resync server1 Road Warrior OpenVPN Aug 28 10:40:05 php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP. Aug 28 10:40:03 check_reload_status: Reloading filter Aug 28 10:40:03 check_reload_status: Restarting OpenVPN tunnels/interfaces Aug 28 10:40:03 check_reload_status: Restarting ipsec tunnels Aug 28 10:40:03 check_reload_status: updating dyndns WAN_DHCP Aug 28 10:39:55 kernel: arpresolve: can't allocate llinfo for x.x.208.1 Aug 28 10:39:50 check_reload_status: updating dyndns wan Aug 28 10:39:47 dhcpleases: Could not deliver signal HUP to process because its pidfile does not exist, No such process. Aug 28 10:39:47 php: rc.linkup: The command '/sbin/ifconfig 'em3' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Aug 28 10:39:47 php: rc.linkup: HOTPLUG: Configuring interface wan Aug 28 10:39:47 php: rc.linkup: DEVD Ethernet attached event for wan Aug 28 10:39:45 kernel: arpresolve: can't allocate llinfo for x.x.208.1 Aug 28 10:39:45 kernel: em3: link state changed to UP Aug 28 10:39:45 check_reload_status: Linkup starting em3 Aug 28 10:39:44 php: rc.linkup: ROUTING: setting IPv6 default route to 2001:470:x:x::1 Aug 28 10:39:44 php: rc.linkup: The command '/sbin/ifconfig gif0 tunnel x.x.161.14' returned exit code '1', the output was 'ifconfig: 'tunnel' requires 2 arguments' Aug 28 10:39:44 php: rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf em3 > /tmp/em3_output 2> /tmp/em3_error_output' returned exit code '15', the output was '' Aug 28 10:39:44 php: rc.linkup: DEVD Ethernet detached event for wan Aug 28 10:39:42 kernel: em3: link state changed to DOWN Aug 28 10:39:42 check_reload_status: Linkup starting em3 Aug 28 10:39:35 kernel: arpresolve: can't allocate llinfo for x.x.208.1 Aug 28 10:39:31 php: rc.linkup: The command '/sbin/ifconfig 'em3' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Aug 28 10:39:31 php: rc.linkup: HOTPLUG: Configuring interface wan Aug 28 10:39:31 php: rc.linkup: DEVD Ethernet attached event for wan Aug 28 10:39:29 php: rc.linkup: Clearing states to old gateway x.x.208.1. Aug 28 10:39:29 kernel: em3: link state changed to UP Aug 28 10:39:29 check_reload_status: Linkup starting em3 Aug 28 10:39:28 php: rc.linkup: DEVD Ethernet detached event for wan Aug 28 10:39:26 kernel: em3: link state changed to DOWN Aug 28 10:39:26 check_reload_status: Linkup starting em3 Aug 28 10:29:46 syslogd: kernel boot file is /boot/kernel/kernelSnort Processes after WAN interface was bounced
root 4146 0.3 3.7 376720 114452 ?? SNs 10:42AM 0:01.01 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/et root 8189 0.1 3.7 376720 114308 ?? SNs 10:43AM 0:01.03 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/et root 7005 0.0 1.6 317552 48632 ?? SNs 10:43AM 0:00.36 /usr/pbi/snort-i386/bin/snort -R 59292 -D -q -l /var/log/snort/snort_em359292 --pid-path /var/run --nolock-pidfile -G 59292 -c /usr/pbi/snort-i386/et root 9784 0.0 2.9 360560 91932 ?? SNs 10:43AM 0:00.69 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/s root 11440 0.0 2.9 360560 92036 ?? SNs 10:43AM 0:00.70 /usr/pbi/snort-i386/bin/snort -R 5622 -D -q -l /var/log/snort/snort_em25622 --pid-path /var/run --nolock-pidfile -G 5622 -c /usr/pbi/snort-i386/etc/s root 70314 0.0 2.9 359584 91004 ?? SNs 10:42AM 0:00.07 /usr/pbi/snort-i386/bin/snort -R 63656 -D -q -l /var/log/snort/snort_em0_vlan563656 --pid-path /var/run --nolock-pidfile -G 63656 -c /usr/pbi/snort-isnort_em360770 WAN Blocking
snort_em359292 WAN Alerting
snort_em25622 LAN Alerting
snort_em0_vlan563656 Guest WiFi AlertingStephen
-
Bill,
For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be
Stephen
Thanks! These logs sure do help. I'm thinking VLANs are somehow the culprit. I don't have any defined on my systems, and I do not see the multiple processes. So far, the folks who are seeing multiple processes (too many processes, actually), all seem to have VLANs defined on their Snort interfaces. I'm taking that as a good indicator of where to start looking… ;)
Bill
-
Bill,
For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be
Stephen
Thanks! These logs sure do help. I'm thinking VLANs are somehow the culprit. I don't have any defined on my systems, and I do not see the multiple processes. So far, the folks who are seeing multiple processes (too many processes, actually), all seem to have VLANs defined on their Snort interfaces. I'm taking that as a good indicator of where to start looking… ;)
Bill
Your welcome and thank you for many updates to this fine package.. Only 1 of my sensors is a vlan.. I'm going to disable it and see if that changes anything… If that doesn't, i'll remove the config... Can't remove the vlan interface itself without redoing a lot of work so it will have to stay
-
To resume:
The boot process is interfering with Snort Startup in my opinion or the other way around.
-
rc.newwanip detects an ip change while there isn't one and triggers a restart packages while Snort is starting, which takes a while
-
check_reload_status is also Starting Packages
Sometimes there is the -E argument instead of the -D in the process.
I believe it is still under investigation. And I don't have VLAN's.
My opinion is that Snort is starting up, no PID file until the process is completely started. In the meanwhile another Snort start is invoked by a script and no PID file is detected, so the first process is not stopped and a new Snort process is started.
-
-
Even tho I've disabled a sensor.. I still see a process for it when I reboot my box… The GUI tells me its disabled, but ps -ax shows me its running... I've seen this before when en/disabling rules... I would enable a a few rules then later turn them off to find that they weren't disabled.. Only work around i've found is to remove the package and re-install so it will read the config.xml and generate fresh config files
-
So I bought me a dual gigabit NIC. I now have WAN, LAN and the Guest LAN on three physical NICs as opposed to VLANs. I still have the same problem with multiple snort processes all on the same interface. I am clueless. Please help!
At start up
[2.1-RC2][admin@sense.home]/root(2): ps -ax | grep snort 33426 ?? IWN 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start 34178 ?? DNL 6:45.45 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 62838 ?? IWN 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start 64327 ?? DNL 6:25.72 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 54725 v0- IW 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start 57256 v0- R 6:32.50 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 48672 0 DL+ 0:00.00 grep snort [2.1-RC2][admin@sense.home]/root(3):After executing killing these processes and manually restarting…
[2.1-RC2][admin@sense.home]/root(5): ps -ax | grep snort 715 ?? Ss 0:00.08 /usr/pbi/snort-amd64/bin/snort -R 22796 -D -q -l /var/log/snort/snort_re122796 --pid-path /var/run --nolock-pidfile -G 22796 -c /usr/pbi/snort-amd64/etc/snort/snort_22796_re1/snort.conf -i re1 51274 ?? Ss 0:04.80 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 73396 ?? Ss 0:00.66 /usr/pbi/snort-amd64/bin/snort -R 26667 -D -q -l /var/log/snort/snort_re026667 --pid-path /var/run --nolock-pidfile -G 26667 -c /usr/pbi/snort-amd64/etc/snort/snort_26667_re0/snort.conf -i re0 68790 0 S+ 0:00.00 grep snort [2.1-RC2][admin@sense.home]/root(6): -
So I bought me a dual gigabit NIC. I now have WAN, LAN and the Guest LAN on three physical NICs as opposed to VLANs. I still have the same problem with multiple snort processes all on the same interface. I am clueless. Please help!
At start up
[2.1-RC2][admin@sense.home]/root(2): ps -ax | grep snort 33426 ?? IWN 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start 34178 ?? DNL 6:45.45 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 62838 ?? IWN 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start 64327 ?? DNL 6:25.72 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 54725 v0- IW 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start 57256 v0- R 6:32.50 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 48672 0 DL+ 0:00.00 grep snort [2.1-RC2][admin@sense.home]/root(3):After executing killing these processes and manually restarting…
[2.1-RC2][admin@sense.home]/root(5): ps -ax | grep snort 715 ?? Ss 0:00.08 /usr/pbi/snort-amd64/bin/snort -R 22796 -D -q -l /var/log/snort/snort_re122796 --pid-path /var/run --nolock-pidfile -G 22796 -c /usr/pbi/snort-amd64/etc/snort/snort_22796_re1/snort.conf -i re1 51274 ?? Ss 0:04.80 /usr/pbi/snort-amd64/bin/snort -R 62688 -D -q -l /var/log/snort/snort_em062688 --pid-path /var/run --nolock-pidfile -G 62688 -c /usr/pbi/snort-amd64/etc/snort/snort_62688_em0/snort.conf -i em0 73396 ?? Ss 0:00.66 /usr/pbi/snort-amd64/bin/snort -R 26667 -D -q -l /var/log/snort/snort_re026667 --pid-path /var/run --nolock-pidfile -G 26667 -c /usr/pbi/snort-amd64/etc/snort/snort_26667_re0/snort.conf -i re0 68790 0 S+ 0:00.00 grep snort [2.1-RC2][admin@sense.home]/root(6):I'm still looking into this. Thus far I can't reproduce the problem in my VMware test setup, so it's still a bit of a mystery as to the root cause. I am not throwing in the towel yet, though.
Bill
-
Thanks Bill! How can I help?
-
Attaching a few screenshots of my snort configuration.
-
Hi Bill
I run a bunch of VLANS's and dont have this issue.
Bill,
For a test to grab clean logs of the issue, I bounced my cable modem.. Hope this helps and enjoying labor day… I know I will be
Stephen
Thanks! These logs sure do help. I'm thinking VLANs are somehow the culprit. I don't have any defined on my systems, and I do not see the multiple processes. So far, the folks who are seeing multiple processes (too many processes, actually), all seem to have VLANs defined on their Snort interfaces. I'm taking that as a good indicator of where to start looking… ;)
Bill
-
Hi Bill
I run a bunch of VLANS's and dont have this issue.
Thanks for the feedback Brian. This a peculiar bug that does not seem to be easily reproduced. For the folks that have it, they are reporting it is 100% reproducible on their systems. For other systems…??
Bill
-
Thanks Bill! How can I help?
Thanks for the screenshots. I also sent you a PM asking for a little more information if you can share it.
Bill
-
Done! Let me know when you receive it. Also, let me know if I can provide any other information.
-
Done! Let me know when you receive it. Also, let me know if I can provide any other information.
I have it. Thanks. As I mentioned in my reply e-mail, I will be busy until the weekend and can take a look then.
Bill
-
Any luck, Bill?
-
Any luck, Bill?
Not yet. I can't reproduce the problem in my test environment. Does this only happen on a reboot for you, or does it also happen with the auto-rule updates in Snort?
EDIT: Never mind on the question. I looked back and see you provided the answer several posts back. You said it happens usually on restarts after the Snort rule updates.
Bill
-
When I had VLANs going, the repro was 100% at reboot time and every 12 hours (on a successful rule update). Now, that I have moved away from VLANs and spent some money retro fitting my laptop with additional Ethernet ports, the multiple snort processes issue only repros on restart. (I am going to jinx myself for making that claim).
-
When I had VLANs going, the repro was 100% at reboot time and every 12 hours (on a successful rule update). Now, that I have moved away from VLANs and spent some money retro fitting my laptop with additional Ethernet ports, the multiple snort processes issue only repros on restart. (I am going to jinx myself for making that claim).
Thanks for the clarification. I originally thought VLANs were at the root, but some other folks (Supermule, for one) have VLANs and don't have this issue. I will keep digging.
I have also been working this past weekend on getting the new Snort 2.9.5.3 binary going. I have a package built in my test environment that works. I want to get that new binary out by the end of this month and also update the package PHP code to 2.6.0. The new package code fixes a number of small bugs and adds multi-engine configurations for HTTP_INSPECT, Stream5 and Frag3.
Bill
-
Thanks is a poor word for what you have done to Snort and the comuunity Bill!
-
- I don't have any VLAN's set up.
- Running 2.1-RELEASE now
and I have issues with multiple Snort instances running every now and then. Last night there was only one instance of the Snort process, but since last upgrade there's another one running again. It was fine for a while after the upgrade, then I saw a extra instance running -> killall snort -> launch Snort again and it was fine for a few update cycles (maybe no actual update happened?) and now there are two instances running again.
[2.1-RELEASE][admin@pfsense.localdomain]/root(6): ps -ax | grep snort 55531 ?? SNs 0:47.02 /usr/pbi/snort-amd64/bin/snort -R 2226 -D -q -l /var/log/snort/snort_em02226 --pid-path /var/run --nolock-pidfile -G 2226 -c /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/snort.conf -i em0 56242 ?? SNs 0:46.66 /usr/pbi/snort-amd64/bin/snort -R 2226 -D -q -l /var/log/snort/snort_em02226 --pid-path /var/run --nolock-pidfile -G 2226 -c /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/snort.conf -i em0The update log looks a bit odd?
Starting rules update... Time: 2013-09-17 02:15:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-09-17 02:15:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-09-17 02:15:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-09-17 02:15:03 Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-09-17 02:15:03 Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-09-17 02:15:04 Starting rules update... Time: 2013-09-17 14:15:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-09-17 14:15:01 Downloading Snort VRT md5 file... Snort VRT md5 download failed. Server returned error code ''. Server error message was 'Failed to create file /usr/pbi/snort-amd64/etc/snort/tmp/snort_rules_up/snortrules-snapshot-2946.tar.gz.md5' Snort VRT rules will not be updated. Downloading EmergingThreats md5 file... EmergingThreats md5 file download failed. Server returned error code ''. The error text is 'Failed to create file /usr/pbi/snort-amd64/etc/snort/tmp/snort_rules_up/emerging.rules.tar.gz.md5' EmergingThreats rules will not be updated. Starting rules update... Time: 2013-09-17 14:15:01 Downloading Snort VRT md5 file... The Rules update has finished. Time: 2013-09-17 14:15:01 Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-09-17 14:15:21 Done downloading rules file. Downloading EmergingThreats md5 file... EmergingThreats md5 file download failed. Server returned error code ''. The error text is 'Failed to create file /usr/pbi/snort-amd64/etc/snort/tmp/snort_rules_up/emerging.rules.tar.gz.md5' EmergingThreats rules will not be updated. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-09-17 14:15:57I don't have syslog since 15th as syslog seems to have crashed soon after the upgrade to -RELEASE :F
Sep 15 13:23:22 syslogd: exiting on signal 15
