Snort "FATAL ERROR" when "Portscan Detection" is enabled

atlasis

Hi,

I'm using Pfsense 1.2.3 and Snort 2.8.6.

When in the "Preprocessors" Tab I enable the “Enable Portscan Detection” option, Snort fails to start and I receive the following error in the System Logs:
"System Logs snort[40889]: FATAL ERROR: /usr/local/etc/snort/snort_65214_em0/snort.conf(204) => Invalid ip_list to 'ignore_scanners' option."

When I edit the file /usr/local/etc/snort/snort_65214_em0/snort.conf, in the var HOME_NET #link1 is included in the IPs.
By deleting it (#link1 from the var HOME_NET) and restarting snort manually using "snort -D -c /usr/local/etc/snort/snort_65214_em0/snort.conf" , snort starts successfully.
When I restart snort using the GUI, I receive the same error. Checking the same file, I found out that #link1 was written again in the same place.

Any suggestion for a permanent work-around?

Thanks

Antonios

jamesdean

@atlasis:

Hi,

I'm using Pfsense 1.2.3 and Snort 2.8.6.

When in the "Preprocessors" Tab I enable the “Enable Portscan Detection” option, Snort fails to start and I receive the following error in the System Logs:
"System Logs snort[40889]: FATAL ERROR: /usr/local/etc/snort/snort_65214_em0/snort.conf(204) => Invalid ip_list to 'ignore_scanners' option."

When I edit the file /usr/local/etc/snort/snort_65214_em0/snort.conf, in the var HOME_NET #link1 is included in the IPs.
By deleting it (#link1 from the var HOME_NET) and restarting snort manually using "snort -D -c /usr/local/etc/snort/snort_65214_em0/snort.conf" , snort starts successfully.
When I restart snort using the GUI, I receive the same error. Checking the same file, I found out that #link1 was written again in the same place.

Any suggestion for a permanent work-around?

Thanks

Antonios

Can you post line 204 in your snort.conf. "snort.conf(204) => Invalid ip_list to 'ignore_scanners'"

Robert

atlasis

Line 204: ignore_scanners { $HOME_NET }
Line 41: var HOME_NET [172.16.1.0/24,192.168.56.101,[b]link#1,127.0.0.1]
Deleting link#1 from this last line and starting snort manually, solves the problem temporarily.

Thanks

Antonios

@jamesdean:

@atlasis:

Hi,

I'm using Pfsense 1.2.3 and Snort 2.8.6.

When in the "Preprocessors" Tab I enable the “Enable Portscan Detection” option, Snort fails to start and I receive the following error in the System Logs:
"System Logs snort[40889]: FATAL ERROR: /usr/local/etc/snort/snort_65214_em0/snort.conf(204) => Invalid ip_list to 'ignore_scanners' option."

When I edit the file /usr/local/etc/snort/snort_65214_em0/snort.conf, in the var HOME_NET #link1 is included in the IPs.
By deleting it (#link1 from the var HOME_NET) and restarting snort manually using "snort -D -c /usr/local/etc/snort/snort_65214_em0/snort.conf" , snort starts successfully.
When I restart snort using the GUI, I receive the same error. Checking the same file, I found out that #link1 was written again in the same place.

Any suggestion for a permanent work-around?

Thanks

Antonios

Can you post line 204 in your snort.conf. "snort.conf(204) => Invalid ip_list to 'ignore_scanners'"

Robert

jamesdean

How man interfaces do you have and what are there names.

Trying to figure out where #link1 is from.

Robert

atlasis

I'm using two interfaces; em0 (WAN - 192.168.56.101) and em1 (LAN - 172.16.1.30). It's a VirtualBox Image actually where I installed pfsense + snort to test it.

#link1 reminds me IPv6 or am I mistaken?

@jamesdean:

How man interfaces do you have and what are there names.

Trying to figure out where #link1 is from.

Robert

jamesdean

I dont have ipv6. I guess since 2,0 uses ipv6 now so I have to code around this isse.

I'll look into it after work today.

Robert

jimp

2.0 doesn't have ipv6 in it yet, but there is a popular addon (see the ipv6 board) that adds the work-in-progress ipv6 code. Anyone running that branch should be prepared for their own breakage. :-)

atlasis

@jamesdean:

I dont have ipv6. I guess since 2,0 uses ipv6 now so I have to code around this isse.

I'll look into it after work today.

Robert

As I said at the beginning, I 'm using pfsense 1.2.3.
Moreover, I haven't enabled IPv6 on purpose, but checking using ifconfig, IPv6 IS enabled by default.

Hope that helps

Antonios

PS My argument that link#1 is due to IPv6 is just a guess (it rings a bell). I don't want to mislead you.

atlasis

@jamesdean:

I dont have ipv6. I guess since 2,0 uses ipv6 now so I have to code around this isse.

I'll look into it after work today.

Robert

I tested this issue in pfsense 2.0RC1 and it works! I don't get any error. It seems that the problem is only in 1.2.3

Regards

Antonios