SNORT Not Running Email Alert



  • I checked my services today and saw SNORT was not running. It started without issue or error, but was not running for 6 days. I was hoping someone new of a way to get/be alerted when a service is not running via email. I depend on SNORT since it blocks injection attempts to my web sites due to an increase of exploits. I checked the logs and saw it was stopped as part of upgrading the rule set and didnt see a start until I manually started it.



  • If you have only a single interface instance, then the Service Watchdog package can be installed and used to monitor Snort.  The problem, though, is that during Snort restarts after a rules update the watchdog package will try to restart Snort every minute even though Snort is restarting on its own.  I've put some logic into the startup script of Snort to deal with that, but you still may wind up with multiple instances of Snort.  Give it a try if you want to.

    If you have Snort on multiple interfaces, the Service Watchdog package cannot distinguish each individual interface as the separate Snort service instance it is, so it will not accurately watch all the instances.

    Bill



  • It is only running on WAN and it only gets restarted when it updates the rule set per the log or when I upgrade SNORT. I haven't needed to restart it manually.



  • Will the watchdog cause any issues with updating SNORT or when it updates the rule set?



  • @ghostshell:

    Will the watchdog cause any issues with updating SNORT or when it updates the rule set?

    It will see the process down and try to restart it.  I put some checks into the shell script that should help, but I have not thoroughly tested the scenario.  You can try it if you want, and just remove Snort from the Service Watchdog list if you see problems (or remove the Service Watchdog package altogether).

    I was testing this a few months back when trying to get Snort and Suricata to play well with the Service Watchdog package.  I was not successful, but I was also trying to make sure any and all Snort interfaces were monitored.  You may have better luck with just one interface – in your case the WAN.

    Bill



  • @bmeeks:

    @ghostshell:

    Will the watchdog cause any issues with updating SNORT or when it updates the rule set?

    It will see the process down and try to restart it.  I put some checks into the shell script that should help, but I have not thoroughly tested the scenario.  You can try it if you want, and just remove Snort from the Service Watchdog list if you see problems (or remove the Service Watchdog package altogether).

    I was testing this a few months back when trying to get Snort and Suricata to play well with the Service Watchdog package.  I was not successful, but I was also trying to make sure any and all Snort interfaces were monitored.  You may have better luck with just one interface – in your case the WAN.

    Bill

    Update ran without issue, could you possible send me the checks you added to the shell script and which one they go in?



  • @bmeeks:

    @ghostshell:

    Will the watchdog cause any issues with updating SNORT or when it updates the rule set?

    It will see the process down and try to restart it.  I put some checks into the shell script that should help, but I have not thoroughly tested the scenario.  You can try it if you want, and just remove Snort from the Service Watchdog list if you see problems (or remove the Service Watchdog package altogether).

    I was testing this a few months back when trying to get Snort and Suricata to play well with the Service Watchdog package.  I was not successful, but I was also trying to make sure any and all Snort interfaces were monitored.  You may have better luck with just one interface – in your case the WAN.

    Bill

    And….....Thanks so much for the info and help!!



  • @ghostshell:

    …, could you possible send me the checks you added to the shell script and which one they go in?

    They are in the current package code already.  If you look at the shell script in /usr/local/etc/rc.d/snort.sh you will see some logic that sets a flag when the script is called to start Snort.  Snort should also, now, ignore a "start" request if it is already running.  You can look at the snort_start() function in /usr/local/pkg/snort/snort.inc PHP code file.

    Bill



  • @bmeeks:

    If you have Snort on multiple interfaces, the Service Watchdog package cannot distinguish each individual interface as the separate Snort service instance it is, so it will not accurately watch all the instances.

    Thanks for posting this as I came here to ask the same question.  I'm getting tired of snort not running for some unknown reason every now and then.  I do run snort on multiple interfaces (wan and internal lan).  Do you have any suggestions on how I can accomplish this, with two interfaces?  I'm mostly concerned with the WAN interface, can I tell the watchdog service to just concentrate on that instance?



  • @wiz561:

    @bmeeks:

    If you have Snort on multiple interfaces, the Service Watchdog package cannot distinguish each individual interface as the separate Snort service instance it is, so it will not accurately watch all the instances.

    Thanks for posting this as I came here to ask the same question.  I'm getting tired of snort not running for some unknown reason every now and then.  I do run snort on multiple interfaces (wan and internal lan).  Do you have any suggestions on how I can accomplish this, with two interfaces?  I'm mostly concerned with the WAN interface, can I tell the watchdog service to just concentrate on that instance?

    When I installed watchdog and went to set it up all you get is a drop down of what services you have installed, once you add the service to the list it will monitor the service and as bmeeks said it will start the service if stopped. Other then that you get the option to notify which I setup to get an email if stopped and the watchdog had to start it. Have not had issues when updating the rule set, I will see what happens when I upgrade it. I already upgraded to the lastest SNORT package. If you have not, could you install watchdog and try that?



  • @wiz561:

    @bmeeks:

    If you have Snort on multiple interfaces, the Service Watchdog package cannot distinguish each individual interface as the separate Snort service instance it is, so it will not accurately watch all the instances.

    Thanks for posting this as I came here to ask the same question.  I'm getting tired of snort not running for some unknown reason every now and then.  I do run snort on multiple interfaces (wan and internal lan).  Do you have any suggestions on how I can accomplish this, with two interfaces?  I'm mostly concerned with the WAN interface, can I tell the watchdog service to just concentrate on that instance?

    Unfortunately the Service Watchdog package cannot distinguish between the Snort interfaces.  It will simply "pgrep" for "snort", and if it finds a running instance it will be happy.  That instance may not be the one that is stopped.  For example, if WAN stops but LAN is running, then the "pgrep snort" command will find the single running instance and be "happy" when it really should be "not happy".

    I tried for several weeks earlier this year to find a way around that, but there are some internal limitations with the current pfSense architecture with regards to how packages are sensed and auto-started by the system.  Those limitations cause the issues with something like the Service Watchdog package.

    I have considered something similar to Service Watchdog but customized into the Snort package itself.  I have not given that much priority.  I can revisit that idea in a future update.

    Bill


Log in to reply