SNORT sending emails about cron



  • After updating to the latest version of pfsense I've started to receive emails from snort everyday. They are titled as

    Cron root@pfsense/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php/root@pfsense

    and contain

    X-Cron-Env: <shell= bin="" sh="">X-Cron-Env: <path= etc:="" bin:="" sbin:="" usr="" sbin="">X-Cron-Env: <home= var="" log="">X-Cron-Env: <logname=root>X-Cron-Env: <user=root>4%        8%      50%      100%</user=root></logname=root></home=></path=></shell=>

    What are they, are they a cause for concern and how do I stop them?



  • @spudy12:

    After updating to the latest version of pfsense I've started to receive emails from snort everyday. They are titled as

    Cron root@pfsense/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php/root@pfsense

    and contain

    X-Cron-Env: <shell= bin="" sh="">X-Cron-Env: <path= etc:="" bin:="" sbin:="" usr="" sbin="">X-Cron-Env: <home= var="" log="">X-Cron-Env: <logname=root>X-Cron-Env: <user=root>4%        8%      50%      100%</user=root></logname=root></home=></path=></shell=>

    What are they, are they a cause for concern and how do I stop them?

    Those are likely coming from the automatic rule set update scheduled on the GLOBAL SETTINGS tab.  I will need to think about a way to silence them or else include better information.

    Bill



  • Ah okay so it's nothing to worry about?
    I just assumed as it was sending an alert it was something that was not good (to much of that with my NAS lately)

    Also my Alert list is being spammed with

    (http_inspect) UNKNOWN METHOD

    Is there anyway to limit the number of these logged or turn it off altogether?

    Cheers!



  • @spudy12:

    Ah okay so it's nothing to worry about?
    I just assumed as it was sending an alert it was something that was not good (to much of that with my NAS lately)

    Also my Alert list is being spammed with

    (http_inspect) UNKNOWN METHOD

    Is there anyway to limit the number of these logged or turn it off altogether?

    Cheers!

    The cron e-mail is a never-mind.  Just spam.  I will see if I can get rid of in an upcoming update.

    As for the http_inspect alert, those are very common.  So common, in fact, that I wonder why the rule authors even keep them in their packages.  But since they do, my advice is either disable the rule or suppress it.  A suppressed rule still "fires", but Snort eats the alert.  A disabled rule never wastes CPU time being used to inspect against traffic, since disabled rules are not loaded.  Which to use is your call as admin.  I have chosen to disable the rule.  You can do that either on the RULES tab by selecting Preprocessor Rules in the drop-down, or (easier method) find the alert on the ALERTS tab display and click the red X icon to add the rule to the forced disabled list.

    Bill


Log in to reply