Snort not working anymore

PC_Arcade · Feb 28, 2007, 8:25 AM

Snort seems to have stopped working properly, it gives me this in the log :

snort[11868]: FATAL ERROR: /usr/local/etc/snort/snort.conf(71) => Invalid ip_list to 'ignore_scanners' option

Any ideas?

(I've reinstalled and I still get the same error)

hoba · Feb 28, 2007, 1:23 PM

Try uninstall/reinstall the package. There have been some fixes few days ago.

PC_Arcade · Feb 28, 2007, 1:46 PM

@PC_Arcade:

(I've reinstalled and I still get the same error)

Yep, done that

yoda715 · Mar 1, 2007, 12:00 PM

Sounds like your whitelist might have been goofed up somehow. Try removing all Whitelist entries, and then try to start snort again. If it works then it must be a whitelist entry you had.

PC_Arcade · Mar 1, 2007, 1:19 PM

I have no whitelist and I've unticked Whitelist VPNs automatically.

Still got exactly the same problem ???

I've also completely uninstalled and reinstalled, deleted snort.conf and reinstalled the xml. I have no idea now as to what else it could be

Palmore · Mar 6, 2007, 11:56 PM

I ran into the same issue, at first the webGui would show Snort in a running state, yet dropping to a shell and running top didn't show the snort process running =/

Wasn't sure if I was missing something cause I'm kinda new to *nix and FreeBSD

I did a search for the Invalid ip_list to 'ignore_scanners' tag, and found one link on Snorts webpage, but no answers, so atleast I figured it's not an issue with pfSense.

if you open up the file in question

/usr/local/etc/snort/snort.conf

And goto line 71, you'll see the line in question, where snort fails to load
ignore_scanners { $HOME_NET }

Now go back to the top of the file, and look for the variable $HOME_NET

you'll see a list of IPs and subnets that are part of your home network, thus whitelisted by default via snort (I'm assuming… lol)

i.e.

var HOME_NET [10.0.1.0/24,192.168.0.1]

I found I had ,/32 in a field with no IP range before it, I removed that, and restarted snort… now I can see it's running and now errors in the system logs.

Palmore · Mar 7, 2007, 12:30 AM

It looks like any time there is a config change to the snort settings in pfSense it rewrites the snort.conf and puts in ,/32. I just keep changing it to show 10.0.1.2/32 for it's local IP and starting snort and it runs.

I'm running 1.0.1-SNAPSHOT-02-27-2007, and
snort package 2.6.1.3_2

Palmore · Mar 7, 2007, 2:56 AM

It also looks like the white list is not working correctly.

IPs I've white listed do show up in the HOME_NET variable of snort.conf, but I get my external DNS servers and my second external adapter blacklisted while snort is running.

pfsense is plugged into a hub that splits the connection from my cable modem and goes to pfSense, and my wifi router/dmz.

I keep seeing snort alerts for

(snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0! [ ** ]
03/06-21:50:51.235361 [removed for privacy] -> [removed for privacy]
ICMP TTL:64 TOS:0x0 ID:19164 IpLen:20 DgmLen:56 DF
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:

then it will blacklist those ips (even though they are whitelisted)

yoda715 · Mar 7, 2007, 3:17 AM

Hmm. Odd. I'll investigate, but so far I haven't seen that issue.

Palmore · Mar 7, 2007, 4:06 PM

Yeah, Issue #1 is the main problem I've been having, next would be Issue #1 whitelisted machines getting blocked.

Issue #1

Each change or update to the config modifies snort.conf and ,/32 is added to the HOME_NET variable, then snort fails to start, manual modifcation to change it to reflect the hosts IP is required (i.e. 10.0.1.2/32) then restart of snort

Issue #2

Snort is blacklisting whitelisted IPs, (namely my DNS servers and an additional server in my DMZ.

This may be something I have to work out on my own, but as stated my setup is

WiFi Router (external IP #1
Cable Modem–-----Hub----<
pfSense/Snotr(external IP #2

Snort picks up traffic between the WiFi router (ext IP #1) and things like my DNS servers. this is where I get the error

(snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0! [ ** ]
03/06-21:50:51.235361 [[b]External IP #1] -> [[b]DNS server]
ICMP TTL:64 TOS:0x0 ID:19164 IpLen:20 DgmLen:56 DF
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:

Should I just add an additional NIC to pfSense, and rather then go inet,hub,split.. go Inet-> pfSense… thus bridging WAN to OPT1 and OPT2 on pfSense, and plug in my WiFi router into OPT2, giving it full * accesss... ( I don't wanna block anything for WiFi, I want full open access.) Only think is, snort will still function on that network as I'm listening on WAN...

Could I listen on OPT1 instead? or would snort still function?

[snort] OPT1 - Internal network
I.e. inet -> pfsense WAN <
OPT2 - DMZ WiFi

or would that work?

Rather then
OPT1 - Internal network
inet WAN [snort] <
OPT2 - WiFi DMZ