Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort shows as not running in GUI, but process is

    IDS/IPS
    3
    8
    810
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spittlbm last edited by

      Came back from vacation and saw that Snort was Enabled, but not running and Barnyard2 was Enabled and running.  Logs stopped for alters on 7/22.

      Verified the process was not running for Snort, but was for Barnyard2.  Third time this has happened, so I decided to create a shell script to check for the PID and start snort if not running via cron.

      Script:

      #!/bin/sh
      
      PIDFILE="/var/run/snort_em12345.pid"
      
      if [ -e "${PIDFILE}" ] && (ps -p `cat ${PIDFILE}` > /dev/null); then 
        echo "Already running."
        exit 99
      fi
      
      /usr/local/etc/rc.d/snort.sh start
      
      echo $! > "${PIDFILE}"
      chmod 644 "${PIDFILE}"
      
      

      I ran the script and Snort has started, but the GUI doesn't see that it has, but it catches the Barnyard2 application.  Suggestions on a fix is much appreciated!

      Screenshot attached.

      Thank you

      1 Reply Last reply Reply Quote 0
      • ivor
        ivor last edited by

        What happens when you click on red icon (it might take a while for page to refresh after you click it) ?

        1 Reply Last reply Reply Quote 0
        • S
          spittlbm last edited by

          @ivor:

          What happens when you click on red icon (it might take a while for page to refresh after you click it) ?

          It turns a pretty green color  ;D

          1 Reply Last reply Reply Quote 0
          • ivor
            ivor last edited by

            Problem solved then. ; )

            1 Reply Last reply Reply Quote 0
            • S
              spittlbm last edited by

              @ivor:

              Problem solved then. ; )

              Not if the plan is to check that Snort is running, and if not, have the cron job start the process.

              1 Reply Last reply Reply Quote 0
              • bmeeks
                bmeeks last edited by

                @spittlbm:

                @ivor:

                Problem solved then. ; )

                Not if the plan is to check that Snort is running, and if not, have the cron job start the process.

                Having a cron job restart Snort is not a good idea because Snort will restart itself during some events such as at the end of the scheduled rules updates.  If the cron job saw Snort down during that interval and attempted a start, then you could easily wind up with identical Snort instances on each interface.

                It is rare for Snort to just die, but it can happen.  If I did anything with a cron job and Snort, it would just be to monitor and then send the admin an e-mail alert and not try to auto-restart Snort.

                As for the GUI not showing Snort running, be aware that Snort can take a very, very long time to start.  Until it pretty much finishes the startup, it won't write the PID file that the GUI is looking for.  Until a matching PID file shows up, the GUI will display the Snort process on an interface as "not running".  Also, that screen is currently not "dynamic".  This means you need to refresh the screen periodically to see if Snort has started yet.  I have it on my to-do list to make that a dynamic screen in the future.

                Bill

                1 Reply Last reply Reply Quote 0
                • S
                  spittlbm last edited by

                  @bmeeks:

                  As for the GUI not showing Snort running, be aware that Snort can take a very, very long time to start.  Until it pretty much finishes the startup, it won't write the PID file that the GUI is looking for.  Until a matching PID file shows up, the GUI will display the Snort process on an interface as "not running".  Also, that screen is currently not "dynamic".  This means you need to refresh the screen periodically to see if Snort has started yet.  I have it on my to-do list to make that a dynamic screen in the future.

                  Bill

                  Bill,

                  As always - thanks for the wise words!  I'll retool the script for email rather than restart.  Before I do that, I'll kill Snort a few times and check to see if it's just being slow to start.

                  Any idea what Brian Caswell is up to these days?

                  -Brian (not Cazz)

                  1 Reply Last reply Reply Quote 0
                  • S
                    spittlbm last edited by

                    @bmeeks:

                    As for the GUI not showing Snort running, be aware that Snort can take a very, very long time to start.  Until it pretty much finishes the startup, it won't write the PID file that the GUI is looking for.  Until a matching PID file shows up, the GUI will display the Snort process on an interface as "not running".  Also, that screen is currently not "dynamic".  This means you need to refresh the screen periodically to see if Snort has started yet.  I have it on my to-do list to make that a dynamic screen in the future.

                    Bill

                    I wanted to confirm this is likely what is happening some of the time.  The start-up time after running filter updates appears to be about 10 minutes and I'm catching it during that time.  I know it was down for several days while I was away (at the start of this post).

                    An "Updating" status in the GUI would be awesome (cause that's what GUIs are for)

                    As often as we get poked and prodded, I'm not a fan of passing internet traffic without Snort taking a peek.

                    Brian

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy