Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT Not Running Email Alert

    Scheduled Pinned Locked Moved pfSense Packages
    11 Posts 3 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      If you have only a single interface instance, then the Service Watchdog package can be installed and used to monitor Snort.  The problem, though, is that during Snort restarts after a rules update the watchdog package will try to restart Snort every minute even though Snort is restarting on its own.  I've put some logic into the startup script of Snort to deal with that, but you still may wind up with multiple instances of Snort.  Give it a try if you want to.

      If you have Snort on multiple interfaces, the Service Watchdog package cannot distinguish each individual interface as the separate Snort service instance it is, so it will not accurately watch all the instances.

      Bill

      1 Reply Last reply Reply Quote 0
      • ghostshellG
        ghostshell
        last edited by

        It is only running on WAN and it only gets restarted when it updates the rule set per the log or when I upgrade SNORT. I haven't needed to restart it manually.

        1 Reply Last reply Reply Quote 0
        • ghostshellG
          ghostshell
          last edited by

          Will the watchdog cause any issues with updating SNORT or when it updates the rule set?

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @ghostshell:

            Will the watchdog cause any issues with updating SNORT or when it updates the rule set?

            It will see the process down and try to restart it.  I put some checks into the shell script that should help, but I have not thoroughly tested the scenario.  You can try it if you want, and just remove Snort from the Service Watchdog list if you see problems (or remove the Service Watchdog package altogether).

            I was testing this a few months back when trying to get Snort and Suricata to play well with the Service Watchdog package.  I was not successful, but I was also trying to make sure any and all Snort interfaces were monitored.  You may have better luck with just one interface – in your case the WAN.

            Bill

            1 Reply Last reply Reply Quote 0
            • ghostshellG
              ghostshell
              last edited by

              @bmeeks:

              @ghostshell:

              Will the watchdog cause any issues with updating SNORT or when it updates the rule set?

              It will see the process down and try to restart it.  I put some checks into the shell script that should help, but I have not thoroughly tested the scenario.  You can try it if you want, and just remove Snort from the Service Watchdog list if you see problems (or remove the Service Watchdog package altogether).

              I was testing this a few months back when trying to get Snort and Suricata to play well with the Service Watchdog package.  I was not successful, but I was also trying to make sure any and all Snort interfaces were monitored.  You may have better luck with just one interface – in your case the WAN.

              Bill

              Update ran without issue, could you possible send me the checks you added to the shell script and which one they go in?

              1 Reply Last reply Reply Quote 0
              • ghostshellG
                ghostshell
                last edited by

                @bmeeks:

                @ghostshell:

                Will the watchdog cause any issues with updating SNORT or when it updates the rule set?

                It will see the process down and try to restart it.  I put some checks into the shell script that should help, but I have not thoroughly tested the scenario.  You can try it if you want, and just remove Snort from the Service Watchdog list if you see problems (or remove the Service Watchdog package altogether).

                I was testing this a few months back when trying to get Snort and Suricata to play well with the Service Watchdog package.  I was not successful, but I was also trying to make sure any and all Snort interfaces were monitored.  You may have better luck with just one interface – in your case the WAN.

                Bill

                And….....Thanks so much for the info and help!!

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @ghostshell:

                  …, could you possible send me the checks you added to the shell script and which one they go in?

                  They are in the current package code already.  If you look at the shell script in /usr/local/etc/rc.d/snort.sh you will see some logic that sets a flag when the script is called to start Snort.  Snort should also, now, ignore a "start" request if it is already running.  You can look at the snort_start() function in /usr/local/pkg/snort/snort.inc PHP code file.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • W
                    wiz561
                    last edited by

                    @bmeeks:

                    If you have Snort on multiple interfaces, the Service Watchdog package cannot distinguish each individual interface as the separate Snort service instance it is, so it will not accurately watch all the instances.

                    Thanks for posting this as I came here to ask the same question.  I'm getting tired of snort not running for some unknown reason every now and then.  I do run snort on multiple interfaces (wan and internal lan).  Do you have any suggestions on how I can accomplish this, with two interfaces?  I'm mostly concerned with the WAN interface, can I tell the watchdog service to just concentrate on that instance?

                    1 Reply Last reply Reply Quote 0
                    • ghostshellG
                      ghostshell
                      last edited by

                      @wiz561:

                      @bmeeks:

                      If you have Snort on multiple interfaces, the Service Watchdog package cannot distinguish each individual interface as the separate Snort service instance it is, so it will not accurately watch all the instances.

                      Thanks for posting this as I came here to ask the same question.  I'm getting tired of snort not running for some unknown reason every now and then.  I do run snort on multiple interfaces (wan and internal lan).  Do you have any suggestions on how I can accomplish this, with two interfaces?  I'm mostly concerned with the WAN interface, can I tell the watchdog service to just concentrate on that instance?

                      When I installed watchdog and went to set it up all you get is a drop down of what services you have installed, once you add the service to the list it will monitor the service and as bmeeks said it will start the service if stopped. Other then that you get the option to notify which I setup to get an email if stopped and the watchdog had to start it. Have not had issues when updating the rule set, I will see what happens when I upgrade it. I already upgraded to the lastest SNORT package. If you have not, could you install watchdog and try that?

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        @wiz561:

                        @bmeeks:

                        If you have Snort on multiple interfaces, the Service Watchdog package cannot distinguish each individual interface as the separate Snort service instance it is, so it will not accurately watch all the instances.

                        Thanks for posting this as I came here to ask the same question.  I'm getting tired of snort not running for some unknown reason every now and then.  I do run snort on multiple interfaces (wan and internal lan).  Do you have any suggestions on how I can accomplish this, with two interfaces?  I'm mostly concerned with the WAN interface, can I tell the watchdog service to just concentrate on that instance?

                        Unfortunately the Service Watchdog package cannot distinguish between the Snort interfaces.  It will simply "pgrep" for "snort", and if it finds a running instance it will be happy.  That instance may not be the one that is stopped.  For example, if WAN stops but LAN is running, then the "pgrep snort" command will find the single running instance and be "happy" when it really should be "not happy".

                        I tried for several weeks earlier this year to find a way around that, but there are some internal limitations with the current pfSense architecture with regards to how packages are sensed and auto-started by the system.  Those limitations cause the issues with something like the Service Watchdog package.

                        I have considered something similar to Service Watchdog but customized into the Snort package itself.  I have not given that much priority.  I can revisit that idea in a future update.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.