Snort multiple interfaces start fails
-
Hi!
I have Snort 2.9.6.2 pkg v3.1.2 installed with two interfaces enabled, OPT1 and WAN.
When snort restarts only one interface restarts automatically the other one needs to be restarted manually.
The same rules are activated on both (and I´ve tried different settings also) and there is nothing in the log that indicates that something is wrong. Both interfaces get the start command according the system logs.
I have also tried with WAN and LAN with the same resultIs there a way to fix this?
Thank you
Jonna -
Hi!
I have Snort 2.9.6.2 pkg v3.1.2 installed with two interfaces enabled, OPT1 and WAN.
When snort restarts only one interface restarts automatically the other one needs to be restarted manually.
The same rules are activated on both (and I´ve tried different settings also) and there is nothing in the log that indicates that something is wrong. Both interfaces get the start command according the system logs.
I have also tried with WAN and LAN with the same resultIs there a way to fix this?
Thank you
JonnaGo try the fix I posted here and report back on the result – https://forum.pfsense.org/index.php?topic=81848.msg448018#msg448018
I would like to see if increasing the PHP memory limit helps.
Bill
-
Increased to 256 mb memory with sma result. Only WAN starts automatically while OPT1 has to be started manually.
From system log:
Sep 23 18:49:21 SnortStartup[99636]: Snort START for WAN(36542_em0)…
Sep 23 18:50:49 kernel: em0: promiscuous mode enabled
Sep 23 18:50:51 SnortStartup[44446]: Snort SOFT RESTART for OPT1(36542_ovpnc1)…So interface em0, WAN, starts and goes to promiscuous mode but nothing more happens to OPT1-
Jonna
-
Increased to 256 mb memory with sma result. Only WAN starts automatically while OPT1 has to be started manually.
From system log:
Sep 23 18:49:21 SnortStartup[99636]: Snort START for WAN(36542_em0)…
Sep 23 18:50:49 kernel: em0: promiscuous mode enabled
Sep 23 18:50:51 SnortStartup[44446]: Snort SOFT RESTART for OPT1(36542_ovpnc1)…So interface em0, WAN, starts and goes to promiscuous mode but nothing more happens to OPT1-
Jonna
That SOFT RESTART tag in the log likely indicates that a zombie process is running on OPT1. Run this command from the console or CLI via SSH:
ps -ax |grep snort
You should see nothing in the output of that command with "36542_ovpnc1" in it. I'm betting you will. If you see it, then note the process ID (PID) and manually kill that process and try starting again.
Bill
-
This is the outcome of the command ;
ps -ax |grep snort
11823 ?? Ss 0:00.02 /usr/pbi/snort-amd64/bin/snort -R 36542 -D -q -l /var/log/snort/snort_ovpnc1365
30425 ?? SNs 3:31.75 /usr/pbi/snort-amd64/bin/snort -R 36542 -D -q -l /var/log/snort/snort_em036542
12633 0 S+ 0:00.00 grep snortand thank you for taking your time
Jonna -
This is the outcome of the command ;
ps -ax |grep snort
11823 ?? Ss 0:00.02 /usr/pbi/snort-amd64/bin/snort -R 36542 -D -q -l /var/log/snort/snort_ovpnc1365
30425 ?? SNs 3:31.75 /usr/pbi/snort-amd64/bin/snort -R 36542 -D -q -l /var/log/snort/snort_em036542
12633 0 S+ 0:00.00 grep snortand thank you for taking your time
JonnaI think you are the victim of a bug in the DUP interface code added to Snort a few revisions back. A fix for that is coming up shortly. Notice the number following "-R" in the output you posted is exactly the same: 36542. They should be different. Did you by chance create the VPN interface by clicking the + icon next to an existing interface?
To fix this now, before the update is released, requires a number of manual actions including renaming some directories using the command line. If you want to try the manual fix, send me a PM (private message) here on the Forum.
Bill