Snort shows as not running in GUI, but process is
-
Came back from vacation and saw that Snort was Enabled, but not running and Barnyard2 was Enabled and running. Logs stopped for alters on 7/22.
Verified the process was not running for Snort, but was for Barnyard2. Third time this has happened, so I decided to create a shell script to check for the PID and start snort if not running via cron.
Script:
#!/bin/sh PIDFILE="/var/run/snort_em12345.pid" if [ -e "${PIDFILE}" ] && (ps -p `cat ${PIDFILE}` > /dev/null); then echo "Already running." exit 99 fi /usr/local/etc/rc.d/snort.sh start echo $! > "${PIDFILE}" chmod 644 "${PIDFILE}"I ran the script and Snort has started, but the GUI doesn't see that it has, but it catches the Barnyard2 application. Suggestions on a fix is much appreciated!
Screenshot attached.
Thank you
-
What happens when you click on red icon (it might take a while for page to refresh after you click it) ?
-
What happens when you click on red icon (it might take a while for page to refresh after you click it) ?
It turns a pretty green color ;D
-
Problem solved then. ; )
-
Problem solved then. ; )
Not if the plan is to check that Snort is running, and if not, have the cron job start the process.
-
Problem solved then. ; )
Not if the plan is to check that Snort is running, and if not, have the cron job start the process.
Having a cron job restart Snort is not a good idea because Snort will restart itself during some events such as at the end of the scheduled rules updates. If the cron job saw Snort down during that interval and attempted a start, then you could easily wind up with identical Snort instances on each interface.
It is rare for Snort to just die, but it can happen. If I did anything with a cron job and Snort, it would just be to monitor and then send the admin an e-mail alert and not try to auto-restart Snort.
As for the GUI not showing Snort running, be aware that Snort can take a very, very long time to start. Until it pretty much finishes the startup, it won't write the PID file that the GUI is looking for. Until a matching PID file shows up, the GUI will display the Snort process on an interface as "not running". Also, that screen is currently not "dynamic". This means you need to refresh the screen periodically to see if Snort has started yet. I have it on my to-do list to make that a dynamic screen in the future.
Bill
-
As for the GUI not showing Snort running, be aware that Snort can take a very, very long time to start. Until it pretty much finishes the startup, it won't write the PID file that the GUI is looking for. Until a matching PID file shows up, the GUI will display the Snort process on an interface as "not running". Also, that screen is currently not "dynamic". This means you need to refresh the screen periodically to see if Snort has started yet. I have it on my to-do list to make that a dynamic screen in the future.
Bill
Bill,
As always - thanks for the wise words! I'll retool the script for email rather than restart. Before I do that, I'll kill Snort a few times and check to see if it's just being slow to start.
Any idea what Brian Caswell is up to these days?
-Brian (not Cazz)
-
As for the GUI not showing Snort running, be aware that Snort can take a very, very long time to start. Until it pretty much finishes the startup, it won't write the PID file that the GUI is looking for. Until a matching PID file shows up, the GUI will display the Snort process on an interface as "not running". Also, that screen is currently not "dynamic". This means you need to refresh the screen periodically to see if Snort has started yet. I have it on my to-do list to make that a dynamic screen in the future.
Bill
I wanted to confirm this is likely what is happening some of the time. The start-up time after running filter updates appears to be about 10 minutes and I'm catching it during that time. I know it was down for several days while I was away (at the start of this post).
An "Updating" status in the GUI would be awesome (cause that's what GUIs are for)
As often as we get poked and prodded, I'm not a fan of passing internet traffic without Snort taking a peek.
Brian
