Snort.sh not correctly being updated

spookycave

Snort does not seem to start correctly after a fresh reboot of pfsense.  I found the problem to be in the function "sync_package_snort()", located in /usr/local/pkg/snort.inc.  It appears that this function is being called too quickly after startup, such that not all interfaces are fully up yet.  It looks like the following "foreach" loop executes zero times, since no interfaces are "up" yet:

foreach($snortInterfaces as $snortIf)
  {
  $start .= ";sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -i {$snortIf} -A full -D";
  }

Therefore, when sync_package_snort() writes the file "/usr/local/etc/rc.d/snort.sh", the "$start" variable doesn't include the line to actually start snort.  Here is the "$start" line of my snort.sh file immediately after startup:
/bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c

Oddly, I also checked the box to block offenders, so it appears that this line of the function doesn't work either:
/* if block offenders is checked, start snort2c */
if($_POST['blockoffenders'])
$start .= ";sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert";

As a workaround to always re-add the correct startup commands, I added this code at line 150 of /usr/local/pkg/snort.inc (obviously you'd have to substitute "vx0" for whichever interface you're running snort on):

/* added by me */   
$start = "/bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c;sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -i vx0 -A full -D;sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert";

The other workaround is to simply go into the admin web page in Services->Snort->Settings tab and click the "Save" button.  That has always seemed to restart snort correctly for me, but it needs to be done manually every time pfsense is rebooted.

badilcan

Thanks, that worked for me.
Greetings from Turkiye.

JustinHoMi

Thanks for the helpful information! I was wondering what all was going on with the startup config….

MarcoP

Thanks for the info! Still valid with pfSense 1.2.1-RC2

MarcoP

As far I can tell it doesn't work (by default) because snort.inc looks for $_POST data.
$_POST will be filled only when submitting the admin page, if the startup script is rewritten after each server startup then it will fail since $_POST is empty.

I'm new to pfSense so forgive me if I'm wrong.

MarcoP

Wrote a patch to make everyone happy.

spookycave methods works on system startup but if you save the config from the web page you'll end up duplicating startup script data.

@@ -56,2 +56,4 @@
 		touch("/var/log/snort/alert");
+	if(!file_exists("/usr/local/etc/snort/config.cache"))
+		touch("/usr/local/etc/snort/config.cache");

@@ -92,2 +94,17 @@

+	/* a totally empty $_POST means pfSense is restarting, if so load last $_POSTed data */
+	if (empty($_POST)) {
+		include_once("/usr/local/etc/snort/config.cache");
+		if (!empty($POST)) { $_POST = unserilize($POST); }
+	} else {
+		/* attempt to save $_POSTed cache */
+		if ($fp = fopen("/usr/local/etc/snort/config.cache", "w")) {
+			$content = "+			$content .= '$POST ='.serialize($_POST)."\n";
+			$content .= "?>\n";
+			fwrite($fp, $content);
+			fclose($fp);
+		}
+	}
+
 	if($_POST['iface_array']) 

MarcoP

For some reason the above code does NOT correctly display \n so I'm attaching a patch file, sorry for so many replies but I hope it helps devs.

snort.patch.txt