Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort multiple interfaces start fails

    pfSense Packages
    2
    6
    1300
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonna99 last edited by

      Hi!
      I have Snort 2.9.6.2 pkg v3.1.2 installed with two interfaces enabled, OPT1 and WAN.
      When snort restarts only one interface restarts automatically the other one needs to be restarted manually.
      The same rules are activated on both (and I´ve tried different settings also) and there is nothing in the log that indicates that something is wrong. Both interfaces get the start command according the system logs.
      I have also tried with WAN and LAN with the same result

      Is there a way to fix this?

      Thank you
      Jonna

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        @jonna99:

        Hi!
        I have Snort 2.9.6.2 pkg v3.1.2 installed with two interfaces enabled, OPT1 and WAN.
        When snort restarts only one interface restarts automatically the other one needs to be restarted manually.
        The same rules are activated on both (and I´ve tried different settings also) and there is nothing in the log that indicates that something is wrong. Both interfaces get the start command according the system logs.
        I have also tried with WAN and LAN with the same result

        Is there a way to fix this?

        Thank you
        Jonna

        Go try the fix I posted here and report back on the result – https://forum.pfsense.org/index.php?topic=81848.msg448018#msg448018

        I would like to see if increasing the PHP memory limit helps.

        Bill

        1 Reply Last reply Reply Quote 0
        • J
          jonna99 last edited by

          Increased to 256 mb memory with sma result. Only WAN starts automatically while OPT1 has to be started manually.

          From system log:
          Sep 23 18:49:21 SnortStartup[99636]: Snort START for WAN(36542_em0)…
          Sep 23 18:50:49 kernel: em0: promiscuous mode enabled
          Sep 23 18:50:51 SnortStartup[44446]: Snort SOFT RESTART for OPT1(36542_ovpnc1)…

          So interface em0, WAN, starts and goes to promiscuous mode but nothing more happens to OPT1-

          Jonna

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            @jonna99:

            Increased to 256 mb memory with sma result. Only WAN starts automatically while OPT1 has to be started manually.

            From system log:
            Sep 23 18:49:21 SnortStartup[99636]: Snort START for WAN(36542_em0)…
            Sep 23 18:50:49 kernel: em0: promiscuous mode enabled
            Sep 23 18:50:51 SnortStartup[44446]: Snort SOFT RESTART for OPT1(36542_ovpnc1)…

            So interface em0, WAN, starts and goes to promiscuous mode but nothing more happens to OPT1-

            Jonna

            That SOFT RESTART tag in the log likely indicates that a zombie process is running on OPT1.  Run this command from the console or CLI via SSH:

            
            ps -ax |grep snort
            
            

            You should see nothing in the output of that command with "36542_ovpnc1" in it.  I'm betting you will.  If you see it, then note the process ID (PID) and manually kill that process and try starting again.

            Bill

            1 Reply Last reply Reply Quote 0
            • J
              jonna99 last edited by

              This is the outcome of the command ;
              ps -ax |grep snort
              11823  ??  Ss    0:00.02 /usr/pbi/snort-amd64/bin/snort -R 36542 -D -q -l /var/log/snort/snort_ovpnc1365
              30425  ??  SNs    3:31.75 /usr/pbi/snort-amd64/bin/snort -R 36542 -D -q -l /var/log/snort/snort_em036542
              12633  0  S+    0:00.00 grep snort

              and thank you for taking your time
              Jonna

              1 Reply Last reply Reply Quote 0
              • bmeeks
                bmeeks last edited by

                @jonna99:

                This is the outcome of the command ;
                ps -ax |grep snort
                11823  ??  Ss    0:00.02 /usr/pbi/snort-amd64/bin/snort -R 36542 -D -q -l /var/log/snort/snort_ovpnc1365
                30425  ??  SNs    3:31.75 /usr/pbi/snort-amd64/bin/snort -R 36542 -D -q -l /var/log/snort/snort_em036542
                12633  0  S+    0:00.00 grep snort

                and thank you for taking your time
                Jonna

                I think you are the victim of a bug in the DUP interface code added to Snort a few revisions back.  A fix for that is coming up shortly.  Notice the number following "-R" in the output you posted is exactly the same:  36542.  They should be different.  Did you by chance create the VPN interface by clicking the + icon next to an existing interface?

                To fix this now, before the update is released, requires a number of manual actions including renaming some directories using the command line.  If you want to try the manual fix, send me a PM (private message) here on the Forum.

                Bill

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post