pfSense » pfSense Packages

Using Snort 2.9.0.5 pkg v. 2.0 on pfSense 2.0... using either autoupdate of rules or manual update of rules, if Snort is already running, the result is Snort stops. This issue is affecting a lot of people, see http://forum.pfsense.org/index.php/topic,41533.30.html. The only work-around I know of is to disable automatic update of rules, which is highly undesirable. For reference, I am currently using the Snort rules and the Emerging Threats rules.

A very edited log of the rules update:

The start:

Oct 21 12:04:52 pfSense2 SnortStartup¹⁸³¹: Snort Startup files Sync...
Oct 21 12:04:53 pfSense2 SnortStartup⁴²²⁸: Snort already running, soft restart
Oct 21 12:04:53 pfSense2 SnortStartup⁴³⁴⁵: Snort Soft Reload For 39540_em4...
Oct 21 12:04:53 pfSense2 snort²⁰¹⁸³:
Oct 21 12:04:53 pfSense2 snort²⁰¹⁸³:
Oct 21 12:04:53 pfSense2 snort²⁰¹⁸³: --== Reloading Snort --
Oct 21 12:04:53 pfSense2 snort[20183]: -- Reloading Snort ==--

<edit>
And the end:

Oct 21 12:04:56 pfSense2 snort²⁰¹⁸³: +---------------------[filtered events]-------------------
Oct 21 12:04:56 pfSense2 snort²⁰¹⁸³: +---------------------[filtered events]-------------------
Oct 21 12:04:56 pfSense2 snort²⁰¹⁸³: | gen-id=1 sig-id=2002911 type=Threshold tracking=sr
Oct 21 12:04:56 pfSense2 snort²⁰¹⁸³: | gen-id=1 sig-id=2002911 type=Threshold tracking=sr
Oct 21 12:04:56 pfSense2 snort²⁰¹⁸³: | gen-id=1 sig-id=2001219 type=Threshold tracking=sr
Oct 21 12:04:56 pfSense2 snort²⁰¹⁸³: | gen-id=1 sig-id=2001219 type=Threshold tracking=sr
Oct 21 12:04:57 pfSense2 snort²⁰¹⁸³: Snort exiting
Oct 21 12:04:57 pfSense2 snort²⁰¹⁸³: Snort exiting

Nothing too obvious there. It just exits for no apparent reason. BUT, let's:

[root@cenrallog pfSense2]# grep Reload snort.log
Oct 28 19:16:43 pfSense2 snort⁵⁷⁹⁷²: --== Reloading Snort ==--
Oct 28 19:16:44 pfSense2 snort⁵⁷⁹⁷²: Snort Reload: Any change to the dynamic detection configuration requires a restart.
Oct 28 19:16:44 pfSense2 snort⁵⁷⁹⁷²: Reload via Signal HUP does not work if you aren't root or are chroot'ed.
[root@cenrallog pfSense2]#
[root@cenrallog pfSense2]# grep Reload messages.log
Oct 28 19:16:43 pfSense2 SnortStartup⁵⁵⁰⁰⁹: Snort Soft Reload For 39540_em4...

OK, so it seems we are doing a soft reload, that looks like a HUP, and we may have a warning about that. Let's look in a little more detail:

[root@cenrallog pfSense2]# grep -C 5 "Reload via Signal HUP" snort.log
Oct 28 19:16:43 pfSense2 snort⁵⁷⁹⁷²:
Oct 28 19:16:43 pfSense2 snort⁵⁷⁹⁷²: Detection:
Oct 28 19:16:43 pfSense2 snort⁵⁷⁹⁷²: Search-Method = AC-BNFA-Q
Oct 28 19:16:44 pfSense2 snort⁵⁷⁹⁷²: Found pid path directive (/var/log/snort/run)
Oct 28 19:16:44 pfSense2 snort⁵⁷⁹⁷²: Snort Reload: Any change to the dynamic detection configuration requires a restart.
Oct 28 19:16:44 pfSense2 snort⁵⁷⁹⁷²: Reload via Signal HUP does not work if you aren't root or are chroot'ed.
Oct 28 19:16:45 pfSense2 snort⁵⁷⁹⁷²: ===============================================================================
Oct 28 19:16:45 pfSense2 snort⁵⁷⁹⁷²: Packet I/O Totals:
Oct 28 19:16:45 pfSense2 snort⁵⁷⁹⁷²: Received: 2872854
Oct 28 19:16:45 pfSense2 snort⁵⁷⁹⁷²: Analyzed: 2872848 (100.000%)
Oct 28 19:16:45 pfSense2 snort⁵⁷⁹⁷²: Dropped: 0 ( 0.000%)

I have tested:
kill -HUP <snort pid>
logged in as root from an ssh shell, and that works fine (although there were no rule changes when I tried it), so maybe the HUP is not coming from root, or it's chroot'ed?

FYI, my HUP resulted in this, combined with a:
grep Reload snort.log
on my central log server. snort.log is just the snort process separated from the rest of the syslog messages.
Oct 28 19:26:29 pfSense2 snort⁴⁰⁹⁷: Reload thread starting...
Oct 28 19:26:29 pfSense2 snort⁴⁰⁹⁷: Reload thread started, thread 0x425e1d80 (4097)
Oct 28 19:27:23 pfSense2 snort⁴⁰⁹⁷: --== Reloading Snort --
Oct 28 19:28:18 pfSense2 snort[4097]: -- Reload Complete ==--

So this is presumably what SHOULD happen if one does a snort rules update with snort already running.