Snort not working for me (again)

PC_Arcade · Jan 21, 2007, 10:40 AM

Since installing 1.0.1-SNAPSHOT-01-19-2007 - I've stopped getting any alerts from snort.

I'm guessing it's to do with this message :```
snort[8421]: /usr/local/etc/snort/snort.conf(89) Unable to create an IPSet from [192.168.1.0/24,/32,xx.x.xxx.xxx,192.168.1.2,,]

(where xx.x.xxx.xxx is my external IP)

Why am I getting the message and how do I make snort alert me to intrusions again?

yoda715 · Jan 21, 2007, 11:13 PM

Try reinstalling snort.

PC_Arcade · Jan 22, 2007, 7:08 AM

@sdale:

Try reinstalling snort.

I have, numerous times - Unfortunately it's still doing exactly the same :(

yoda715 · Jan 22, 2007, 7:42 AM

Looks like you might have an invalid IP address entered into your whitelist. Make sure all your whitelist entries entered in a xxx.xxx.xxx.xxx or xxx.xxx.xxx.xxx/xx format.

@PC_Arcade:

snort[8421]: /usr/local/etc/snort/snort.conf(89) Unable to create an IPSet from [192.168.1.0/24,/32,xx.x.xxx.xxx,192.168.1.2,,]

I think the problem is with the ,/32, There should be an IP address before that /32, and there is not.

PC_Arcade · Jan 22, 2007, 8:14 AM

@sdale:

Looks like you might have an invalid IP address entered into your whitelist. Make sure all your whitelist entries entered in a xxx.xxx.xxx.xxx or xxx.xxx.xxx.xxx/xx format.

@PC_Arcade:
snort[8421]: /usr/local/etc/snort/snort.conf(89) Unable to create an IPSet from [192.168.1.0/24,/32,xx.x.xxx.xxx,192.168.1.2,,]
I think the problem is with the ,/32, There should be an IP address before that /32, and there is not.

There was nothing in my whitelist (I don't want to whitelist anything until I'm sure snort is working), it looks as though that's not the ip it was looking for as after adding an ip to whitelist i get this :```
snort[52956]: /usr/local/etc/snort/snort.conf(89) Unable to create an IPSet from [192.168.1.0/24,/32,xx.x.xxx.xxx,192.168.1.2,,192.168.1.100/24,]

As you can see it's added the whitelisted ip to the the end (192.168.1.100) what is the second address and where do I change it so snort can pick it up?

yoda715 · Jan 22, 2007, 8:29 AM

1. Enable ssh under General>Advanced
2. Download the program WinSCP
a. SSH into your LAN IP using WinSCP with the protocol set to SFTP (allow SCP fallback).
3. Browse to the location /usr/local/etc/snort
4. Copy the file snort.conf to a local directory on your PC. Make sure to make a backup of this file before editing it.
5. Open snort.conf using a text editor. Look for the line var HOME_NET …... it should be near the top.

These IP addresses listed are the IP addresses of all your interfaces plus any whitelist IPs you might have.

So basically if you have a WAN and LAN interface, that like should look something like

var HOME_NET [public WAn IP, LANIP]

I think you need to remove those entries that do not have an IP before the netmask.

PC_Arcade · Jan 22, 2007, 8:34 AM

Aah, could it be that my wireless (opt1) interface is bridged with my LAN and snort isn't recognising that?

yoda715 · Jan 22, 2007, 8:35 AM

Possibly. Snort will only work on your WAN interface. Make sure that is the only interface you have it assigned to.

PC_Arcade · Jan 22, 2007, 8:52 AM

@sdale:

Possibly. Snort will only work on your WAN interface. Make sure that is the only interface you have it assigned to.

Yeah, I know and SNORT is / was only set to the one interface, I've tried pretty much everything bar changing the conf file (which given all the vnc messing about I'm not keen to do).

I just thought that the missing IP could have come from that interface - god only knows though :(

I'll keep playing and see if I can fix it (which is hard as I don't know what I'm looking for!) ;D

yoda715 · Jan 22, 2007, 8:55 AM

Can you describe any changes that you made prior and up to you noticing that snort stopped working? I will see if I can duplicate.

PC_Arcade · Jan 22, 2007, 9:02 AM

None, I just started using the latest snapshot, I re-installed from scratch as well as something in my old xml backup caused pfsense to not boot :(

I THINK it's caused by the fact I'm using DHCP and therefore the staticIP box is blank, it's the only /32 I can find with no IP address allocated (as I'm on a /24 network)

yoda715 · Jan 22, 2007, 9:15 AM

@PC_Arcade:

I THINK it's caused by the fact I'm using DHCP and therefore the staticIP box is blank, it's the only /32 I can find with no IP address allocated (as I'm on a /24 network)

Are you referring to DHCP on the WAN interface?

PC_Arcade · Jan 22, 2007, 9:17 AM

@sdale:

@PC_Arcade:

I THINK it's caused by the fact I'm using DHCP and therefore the staticIP box is blank, it's the only /32 I can find with no IP address allocated (as I'm on a /24 network)

Are you referring to DHCP on the WAN interface?

Sorry, I should have been clearer. Yes, DHCP on the WAN interface, the Static box on the WAN interface is the only occurence of /32 that I can find

yoda715 · Jan 22, 2007, 9:19 AM

Hmm. That shouldn't have any problems. I am using DHCP on the WAN interface and it enters the correct WAN IP for me.

PC_Arcade · Jan 22, 2007, 9:22 AM

I wouldn't read anything into it, I'm clutching at straws ;D

yoda715 · Jan 22, 2007, 10:02 AM

No clue. I will update to the latest snapshot later and see if I have any troubles. Im running 12-19 snapshot right now with no problems.

PC_Arcade · Jan 22, 2007, 10:21 AM

Thanks sdale, your help is much appreciated

yoda715 · Jan 22, 2007, 9:22 PM

I updated to the 1-19 snapshot and snort is running properly for me. Not sure what could be your problem. ???

Guest · Jan 22, 2007, 9:48 PM

Any chance you're trying to run snort on multiple interfaces?

PC_Arcade · Jan 23, 2007, 6:55 AM

@submicron:

Any chance you're trying to run snort on multiple interfaces?

None whatsoever :(

Weird, I'll stop using it again then.