Bug #9789
closed
snort process stays active after deleting interface
0%
Description
after deleting interface on Interfaces / Interface Assignments page,
snort process stays active and you can't disable it on Services / Snort / Interfaces
you also can't kill it by restarting snort service
the only way to kill process is "kill" command in command prompt
snort 4.0_6
2.5.0-DEVELOPMENT (amd64)
built on Mon Sep 23 18:02:21 EDT 2019
FreeBSD 12.0-RELEASE-p10
Updated by Viktor Gurov over 4 years ago
perhaps the same behavior with barnyard2
Updated by Bill Meeks over 4 years ago
This behavior will impact Barnyard2 and also Suricata (and Barnyard2 in a Suricata setup).
This behavior is also going to be present in all prior versions of pfSense, including the current RELEASE branch.
Updated by Bill Meeks over 4 years ago
Corresponded with Jim Pingle about this issue. There is no elegant or simple way for notifying a running package (An IDS package in this case) that an interface is being removed or unassigned within the pfSense GUI. It is probably better to expect the user to understand the potential ramifications of removing or unassigning an interface that may also be in active use by a package.
I will alter the package GUI code to detect when an assigned pfSense interface is "missing" and take appropriate action such as disabling the interface in the IDS GUI and not starting that interface on subsequent package start commands. The user will be notified within the GUI (on both the INTERFACES and INTERFACE SETTINGS tabs) using visual clues that a formerly assigned IDS interface is now not present in pfSense. The user will have the ability to either delete the IDS interface instance completely, or reassign it to a new existing pfSense interface.
Updated by Bill Meeks over 4 years ago
This issue can be marked as RESOLVED. Pull request 678 has been submitted to teh pfSense-2.5-DEVEL branch here: https://github.com/pfsense/FreeBSD-ports/pull/678.
The Snort GUI now recognizes when the pfSense physical interface that had been assigned to a configured Snort instance is missing. It will no longer generate a configuration directory for the missing interface nor will it attempt to start Snort on that interface. The Snort instance will show in the GUI on the INTERFACES tab as "disabled", and the user has the ability to either delete that Snort configuration instance or assign it to a different existing physical interface.
There is still the possibility that if the physical interface is deleted in the pfSense GUI while an active Snort instance is running on that interface, the user will be left with a zombie Snort process. The only way to stop that process would be using the kill command via a CLI session. There is no existing elegant method by which pfSense can notify a running package process daemon that an interface change is happening.
Updated by