Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort.sh not correctly being updated

    pfSense Packages
    4
    7
    2653
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spookycave last edited by

      Snort does not seem to start correctly after a fresh reboot of pfsense.  I found the problem to be in the function "sync_package_snort()", located in /usr/local/pkg/snort.inc.  It appears that this function is being called too quickly after startup, such that not all interfaces are fully up yet.  It looks like the following "foreach" loop executes zero times, since no interfaces are "up" yet:

      foreach($snortInterfaces as $snortIf)
        {
        $start .= ";sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -i {$snortIf} -A full -D";
        }

      Therefore, when sync_package_snort() writes the file "/usr/local/etc/rc.d/snort.sh", the "$start" variable doesn't include the line to actually start snort.  Here is the "$start" line of my snort.sh file immediately after startup:
      /bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c

      Oddly, I also checked the box to block offenders, so it appears that this line of the function doesn't work either:
      /* if block offenders is checked, start snort2c */
      if($_POST['blockoffenders'])
      $start .= ";sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert";

      As a workaround to always re-add the correct startup commands, I added this code at line 150 of /usr/local/pkg/snort.inc (obviously you'd have to substitute "vx0" for whichever interface you're running snort on):

      /* added by me */   
      $start = "/bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c;sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -i vx0 -A full -D;sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert";

      The other workaround is to simply go into the admin web page in Services->Snort->Settings tab and click the "Save" button.  That has always seemed to restart snort correctly for me, but it needs to be done manually every time pfsense is rebooted.

      1 Reply Last reply Reply Quote 0
      • B
        badilcan last edited by

        Thanks, that worked for me.
        Greetings from Turkiye.

        1 Reply Last reply Reply Quote 0
        • J
          JustinHoMi last edited by

          Thanks for the helpful information! I was wondering what all was going on with the startup config….

          1 Reply Last reply Reply Quote 0
          • M
            MarcoP last edited by

            Thanks for the info! Still valid with pfSense 1.2.1-RC2

            1 Reply Last reply Reply Quote 0
            • M
              MarcoP last edited by

              As far I can tell it doesn't work (by default) because snort.inc looks for $_POST data.
              $_POST will be filled only when submitting the admin page, if the startup script is rewritten after each server startup then it will fail since $_POST is empty.

              I'm new to pfSense so forgive me if I'm wrong.

              1 Reply Last reply Reply Quote 0
              • M
                MarcoP last edited by

                Wrote a patch to make everyone happy.

                spookycave methods works on system startup but if you save the config from the web page you'll end up duplicating startup script data.

                
                @@ -56,2 +56,4 @@
                 		touch("/var/log/snort/alert");
                +	if(!file_exists("/usr/local/etc/snort/config.cache"))
                +		touch("/usr/local/etc/snort/config.cache");
                
                @@ -92,2 +94,17 @@
                
                +	/* a totally empty $_POST means pfSense is restarting, if so load last $_POSTed data */
                +	if (empty($_POST)) {
                +		include_once("/usr/local/etc/snort/config.cache");
                +		if (!empty($POST)) { $_POST = unserilize($POST); }
                +	} else {
                +		/* attempt to save $_POSTed cache */
                +		if ($fp = fopen("/usr/local/etc/snort/config.cache", "w")) {
                +			$content = "+			$content .= '$POST ='.serialize($_POST)."\n";
                +			$content .= "?>\n";
                +			fwrite($fp, $content);
                +			fclose($fp);
                +		}
                +	}
                +
                 	if($_POST['iface_array']) 
                
                
                1 Reply Last reply Reply Quote 0
                • M
                  MarcoP last edited by

                  For some reason the above code does NOT correctly display \n so I'm attaching a patch file, sorry for so many replies but I hope it helps devs.

                  snort.patch.txt

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy