Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT Not Running Email Alert

    Scheduled Pinned Locked Moved pfSense Packages
    11 Posts 3 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ghostshellG
      ghostshell
      last edited by

      I checked my services today and saw SNORT was not running. It started without issue or error, but was not running for 6 days. I was hoping someone new of a way to get/be alerted when a service is not running via email. I depend on SNORT since it blocks injection attempts to my web sites due to an increase of exploits. I checked the logs and saw it was stopped as part of upgrading the rule set and didnt see a start until I manually started it.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        If you have only a single interface instance, then the Service Watchdog package can be installed and used to monitor Snort.  The problem, though, is that during Snort restarts after a rules update the watchdog package will try to restart Snort every minute even though Snort is restarting on its own.  I've put some logic into the startup script of Snort to deal with that, but you still may wind up with multiple instances of Snort.  Give it a try if you want to.

        If you have Snort on multiple interfaces, the Service Watchdog package cannot distinguish each individual interface as the separate Snort service instance it is, so it will not accurately watch all the instances.

        Bill

        1 Reply Last reply Reply Quote 0
        • ghostshellG
          ghostshell
          last edited by

          It is only running on WAN and it only gets restarted when it updates the rule set per the log or when I upgrade SNORT. I haven't needed to restart it manually.

          1 Reply Last reply Reply Quote 0
          • ghostshellG
            ghostshell
            last edited by

            Will the watchdog cause any issues with updating SNORT or when it updates the rule set?

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @ghostshell:

              Will the watchdog cause any issues with updating SNORT or when it updates the rule set?

              It will see the process down and try to restart it.  I put some checks into the shell script that should help, but I have not thoroughly tested the scenario.  You can try it if you want, and just remove Snort from the Service Watchdog list if you see problems (or remove the Service Watchdog package altogether).

              I was testing this a few months back when trying to get Snort and Suricata to play well with the Service Watchdog package.  I was not successful, but I was also trying to make sure any and all Snort interfaces were monitored.  You may have better luck with just one interface – in your case the WAN.

              Bill

              1 Reply Last reply Reply Quote 0
              • ghostshellG
                ghostshell
                last edited by

                @bmeeks:

                @ghostshell:

                Will the watchdog cause any issues with updating SNORT or when it updates the rule set?

                It will see the process down and try to restart it.  I put some checks into the shell script that should help, but I have not thoroughly tested the scenario.  You can try it if you want, and just remove Snort from the Service Watchdog list if you see problems (or remove the Service Watchdog package altogether).

                I was testing this a few months back when trying to get Snort and Suricata to play well with the Service Watchdog package.  I was not successful, but I was also trying to make sure any and all Snort interfaces were monitored.  You may have better luck with just one interface – in your case the WAN.

                Bill

                Update ran without issue, could you possible send me the checks you added to the shell script and which one they go in?

                1 Reply Last reply Reply Quote 0
                • ghostshellG
                  ghostshell
                  last edited by

                  @bmeeks:

                  @ghostshell:

                  Will the watchdog cause any issues with updating SNORT or when it updates the rule set?

                  It will see the process down and try to restart it.  I put some checks into the shell script that should help, but I have not thoroughly tested the scenario.  You can try it if you want, and just remove Snort from the Service Watchdog list if you see problems (or remove the Service Watchdog package altogether).

                  I was testing this a few months back when trying to get Snort and Suricata to play well with the Service Watchdog package.  I was not successful, but I was also trying to make sure any and all Snort interfaces were monitored.  You may have better luck with just one interface – in your case the WAN.

                  Bill

                  And….....Thanks so much for the info and help!!

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    @ghostshell:

                    …, could you possible send me the checks you added to the shell script and which one they go in?

                    They are in the current package code already.  If you look at the shell script in /usr/local/etc/rc.d/snort.sh you will see some logic that sets a flag when the script is called to start Snort.  Snort should also, now, ignore a "start" request if it is already running.  You can look at the snort_start() function in /usr/local/pkg/snort/snort.inc PHP code file.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • W
                      wiz561
                      last edited by

                      @bmeeks:

                      If you have Snort on multiple interfaces, the Service Watchdog package cannot distinguish each individual interface as the separate Snort service instance it is, so it will not accurately watch all the instances.

                      Thanks for posting this as I came here to ask the same question.  I'm getting tired of snort not running for some unknown reason every now and then.  I do run snort on multiple interfaces (wan and internal lan).  Do you have any suggestions on how I can accomplish this, with two interfaces?  I'm mostly concerned with the WAN interface, can I tell the watchdog service to just concentrate on that instance?

                      1 Reply Last reply Reply Quote 0
                      • ghostshellG
                        ghostshell
                        last edited by

                        @wiz561:

                        @bmeeks:

                        If you have Snort on multiple interfaces, the Service Watchdog package cannot distinguish each individual interface as the separate Snort service instance it is, so it will not accurately watch all the instances.

                        Thanks for posting this as I came here to ask the same question.  I'm getting tired of snort not running for some unknown reason every now and then.  I do run snort on multiple interfaces (wan and internal lan).  Do you have any suggestions on how I can accomplish this, with two interfaces?  I'm mostly concerned with the WAN interface, can I tell the watchdog service to just concentrate on that instance?

                        When I installed watchdog and went to set it up all you get is a drop down of what services you have installed, once you add the service to the list it will monitor the service and as bmeeks said it will start the service if stopped. Other then that you get the option to notify which I setup to get an email if stopped and the watchdog had to start it. Have not had issues when updating the rule set, I will see what happens when I upgrade it. I already upgraded to the lastest SNORT package. If you have not, could you install watchdog and try that?

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @wiz561:

                          @bmeeks:

                          If you have Snort on multiple interfaces, the Service Watchdog package cannot distinguish each individual interface as the separate Snort service instance it is, so it will not accurately watch all the instances.

                          Thanks for posting this as I came here to ask the same question.  I'm getting tired of snort not running for some unknown reason every now and then.  I do run snort on multiple interfaces (wan and internal lan).  Do you have any suggestions on how I can accomplish this, with two interfaces?  I'm mostly concerned with the WAN interface, can I tell the watchdog service to just concentrate on that instance?

                          Unfortunately the Service Watchdog package cannot distinguish between the Snort interfaces.  It will simply "pgrep" for "snort", and if it finds a running instance it will be happy.  That instance may not be the one that is stopped.  For example, if WAN stops but LAN is running, then the "pgrep snort" command will find the single running instance and be "happy" when it really should be "not happy".

                          I tried for several weeks earlier this year to find a way around that, but there are some internal limitations with the current pfSense architecture with regards to how packages are sensed and auto-started by the system.  Those limitations cause the issues with something like the Service Watchdog package.

                          I have considered something similar to Service Watchdog but customized into the Snort package itself.  I have not given that much priority.  I can revisit that idea in a future update.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.