• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort 2.9.2.3 pkg v. 2.5.0 Issues

pfSense Packages
38
331
225.7k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    RonpfS
    last edited by Jan 26, 2013, 5:48 PM Jan 26, 2013, 6:31 AM

    Once again Snort blocked the renewed WAN IP while it was restarting.

    The block happen at 2013-01-26 00:52:58

    So fxp0 get DOWN, and UP.
    Snort start.
    A new IP is acquired before snort finishes. At some point the WAN IP is triggering a block
    Have to go to Web Interface to remove the block.

    Probably in real life, the WAN IP being blocked would trigger a WAN IP down and a reconnect after a while so things might fall back to normal without user intervention.

    
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: authorization failed
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: parameter negotiation failed
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Opened --> Stopping
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendTerminateReq #33
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerDown
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] rec'd proto PAP during terminate phase
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Terminate Request #16 (Stopping)
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendTerminateAck #34
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Terminate Ack #33 (Stopping)
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Stopping --> Stopped
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerFinish
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection closed
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Stopped --> Starting
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerStart
2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 5 in 1 seconds
2013-01-26 00:48:54	Local0.Info	172.24.42.254	pf: 00:00:13.500188 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19195, offset 0, flags [DF], proto TCP (6), length 40)
2013-01-26 00:48:54	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 85.159.232.71.16559: Flags [R.], cksum 0xdbf7 (correct), seq 4, ack 1, win 0, length 0
2013-01-26 00:48:54	Local0.Info	172.24.42.254	pf: 00:00:00.711106 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19199, offset 0, flags [DF], proto TCP (6), length 1462)
2013-01-26 00:48:54	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 50.21.136.80.57268: Flags [P.], ack 1, win 64282, length 1422
2013-01-26 00:48:55	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 5
2013-01-26 00:48:55	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
2013-01-26 00:48:58	Local0.Info	172.24.42.254	pf: 00:00:03.656082 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19224, offset 0, flags [DF], proto TCP (6), length 40)
2013-01-26 00:48:58	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 69.200.231.126.54005: Flags [R.], cksum 0x6dcd (correct), seq 4, ack 1, win 0, length 0
2013-01-26 00:49:04	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE connection timeout after 9 seconds
2013-01-26 00:49:04	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
2013-01-26 00:49:04	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
2013-01-26 00:49:04	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 6 in 4 seconds
2013-01-26 00:49:05	Local0.Info	172.24.42.254	pf: 00:00:07.367220 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19321, offset 0, flags [DF], proto TCP (6), length 40)
2013-01-26 00:49:05	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 175.136.38.76.57162: Flags [R.], cksum 0xde42 (correct), seq 4, ack 1, win 0, length 0
2013-01-26 00:49:06	Local0.Info	172.24.42.254	pf: 00:00:00.414099 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19327, offset 0, flags [DF], proto TCP (6), length 58)
2013-01-26 00:49:06	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 182.53.13.45.47411: Flags [P.], cksum 0x4716 (correct), ack 1, win 258, length 18
2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 6
2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: PPPoE: rec'd ACNAME "bas10-montreal02"
2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection successful
2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: UP event
2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Up event
2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Starting --> Req-Sent
2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigReq #35
2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 508b1152
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Request #119 (Req-Sent)
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 7e193a28
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigAck #119
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 7e193a28
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Ack #35 (Ack-Sent)
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 508b1152
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #1 len: 31
2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerUp
2013-01-26 00:49:09	Local0.Info	172.24.42.254	pf: 00:00:03.593613 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19353, offset 0, flags [DF], proto TCP (6), length 40)
2013-01-26 00:49:09	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 46.116.44.44.63832: Flags [R.], cksum 0x00e4 (correct), seq 4, ack 1, win 0, length 0
2013-01-26 00:49:11	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:49:11	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #2 len: 31
2013-01-26 00:49:13	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:49:13	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #3 len: 31
2013-01-26 00:49:13	Local0.Info	172.24.42.254	pf: 00:00:03.614018 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 11881, offset 0, flags [DF], proto TCP (6), length 40)
2013-01-26 00:49:13	Local0.Info	172.24.42.254	pf:     172.24.48.84.58311 > 199.16.156.104.80: Flags [R.], cksum 0x87e3 (correct), seq 1, ack 1, win 0, length 0
2013-01-26 00:49:15	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:49:15	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #4 len: 31
2013-01-26 00:49:17	Auth.Emerg	172.24.42.254	php: /index.php: Successful webConfigurator login for user 'admin' from 172.24.48.84
2013-01-26 00:49:17	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:49:17	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #5 len: 31
2013-01-26 00:49:27	Local0.Info	172.24.42.254	pf: 00:00:14.515424 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19543, offset 0, flags [DF], proto TCP (6), length 40)
2013-01-26 00:49:27	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 182.53.13.45.47411: Flags [F.], cksum 0x6825 (correct), seq 18, ack 1, win 258, length 0
2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp: Multi-link PPP daemon for FreeBSD
2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp:
2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp: process 15018 started, version 5.5 (root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org 10:25 12-Oct-2011)
2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp: waiting for process 318 to die...
2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp: caught fatal signal term
2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp: [wan] IFACE: Close event
2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Close event
2013-01-26 00:49:31	Daemon.Info	172.24.42.254	ppp: [wan] Bundle: Shutdown
2013-01-26 00:49:31	Daemon.Notice	172.24.42.254	snort[20356]: Can't acquire (-1) - The interface went down!
2013-01-26 00:49:31	Kernel.Info	172.24.42.254	kernel: pppoe1: promiscuous mode disabled
2013-01-26 00:49:31	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: Shutdown
2013-01-26 00:49:31	Daemon.Info	172.24.42.254	ppp: process 318 terminated
2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: last message repeated 2 times
2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: web: web is not running
2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: [wan] Bundle: Interface ng0 created
2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: OPEN event
2013-01-26 00:49:32	Kernel.Info	172.24.42.254	kernel: ng0: changing name to 'pppoe1'
2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Open event
2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Initial --> Starting
2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerStart
2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
2013-01-26 00:49:32	Daemon.Notice	172.24.42.254	snort[20356]: ===============================================================================
2013-01-26 00:49:32	Daemon.Notice	172.24.42.254	snort[20356]: Packet I/O Totals:

...

2013-01-26 00:49:33	Daemon.Notice	172.24.42.254	snort[20356]: Snort exiting
2013-01-26 00:49:41	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE connection timeout after 9 seconds
2013-01-26 00:49:41	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
2013-01-26 00:49:41	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
2013-01-26 00:49:41	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 1 in 3 seconds
2013-01-26 00:49:44	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 1
2013-01-26 00:49:44	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
...

2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: PPPoE: rec'd ACNAME "bas10-montreal02"
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection successful
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: UP event
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Up event
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Starting --> Req-Sent
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigReq #1
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM b58c9236
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Request #49 (Req-Sent)
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 0938ff39
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigAck #49
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 0938ff39
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Ack #1 (Ack-Sent)
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM b58c9236
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #1 len: 31
2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerUp
2013-01-26 00:49:52	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:49:52	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #2 len: 31
2013-01-26 00:49:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:49:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #3 len: 31
2013-01-26 00:49:54	Local0.Info	172.24.42.254	pf: 00:00:26.839787 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19860, offset 0, flags [DF], proto TCP (6), length 1462)
2013-01-26 00:49:54	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 50.21.136.80.57268: Flags [P.], ack 1, win 64282, length 1422
2013-01-26 00:49:56	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:49:56	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #4 len: 31
2013-01-26 00:49:58	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:49:58	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #5 len: 31
2013-01-26 00:50:00	Cron.Info	172.24.42.254	/usr/sbin/cron[60577]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc)
2013-01-26 00:50:06	Local0.Info	172.24.42.254	pf: 00:00:11.449275 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19990, offset 0, flags [DF], proto TCP (6), length 58)
2013-01-26 00:50:06	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 182.53.13.45.47411: Flags [FP.], cksum 0x4715 (correct), seq 0:18, ack 1, win 258, length 18
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: authorization timer expired
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: authorization failed
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: parameter negotiation failed
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Opened --> Stopping
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendTerminateReq #2
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerDown
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Terminate Ack #2 (Stopping)
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Stopping --> Stopped
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerFinish
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection closed
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Stopped --> Starting
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerStart
2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 2 in 4 seconds
2013-01-26 00:50:34	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 2
2013-01-26 00:50:34	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
2013-01-26 00:50:43	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE connection timeout after 9 seconds
2013-01-26 00:50:43	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
2013-01-26 00:50:43	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
2013-01-26 00:50:43	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 3 in 1 seconds
2013-01-26 00:50:44	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 3
2013-01-26 00:50:44	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
2013-01-26 00:50:53	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE connection timeout after 9 seconds
2013-01-26 00:50:53	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
2013-01-26 00:50:53	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
2013-01-26 00:50:53	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 4 in 1 seconds
2013-01-26 00:50:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 4
2013-01-26 00:50:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
2013-01-26 00:51:03	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE connection timeout after 9 seconds
2013-01-26 00:51:03	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
2013-01-26 00:51:03	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
2013-01-26 00:51:03	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 5 in 2 seconds
2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 5
2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: PPPoE: rec'd ACNAME "bas10-montreal02"
2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection successful
2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: UP event
2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Up event
2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Starting --> Req-Sent
2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigReq #3
2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 5baa10da
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Request #124 (Req-Sent)
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 547556ca
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigAck #124
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 547556ca
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Ack #3 (Ack-Sent)
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 5baa10da
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #1 len: 31
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerUp
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Request #1 (Opened)
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1462
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 547556ca
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerDown
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigReq #4
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 5baa10da
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigAck #1
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1462
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 547556ca
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Opened --> Ack-Sent
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Ack #4 (Ack-Sent)
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 5baa10da
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #1 len: 31
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerUp
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: rec'd ACK #1 len: 5
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: authorization successful
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: Matched action 'bundle "wan" ""'
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: Join bundle "wan"
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Open event
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Initial --> Starting
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: LayerStart
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Up event
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Starting --> Req-Sent
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigReq #1
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 0.0.0.0
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 0.0.0.0
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 0.0.0.0
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Request #0 (Req-Sent)
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 10.249.0.3
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]     10.249.0.3 is OK
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigAck #0
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 10.249.0.3
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Req-Sent --> Ack-Sent
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Reject #1 (Ack-Sent)
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigReq #2
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 0.0.0.0
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 0.0.0.0
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 0.0.0.0
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Nak #2 (Ack-Sent)
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 50.21.131.246
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]     50.21.131.246 is OK
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 10.249.0.3
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 24.226.147.201
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigReq #3
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 50.21.131.246
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 10.249.0.3
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 24.226.147.201
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Ack #3 (Ack-Sent)
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 50.21.131.246
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 10.249.0.3
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 24.226.147.201
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Ack-Sent --> Opened
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: LayerUp
2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   50.21.131.246 -> 10.249.0.3
2013-01-26 00:51:07	Local0.Info	172.24.42.254	pf: 00:01:00.004327 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20475, offset 0, flags [DF], proto TCP (6), length 40)
2013-01-26 00:51:07	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 182.53.13.45.47411: Flags [R.], cksum 0x6923 (correct), seq 19, ack 1, win 0, length 0
2013-01-26 00:51:07	User.Notice	172.24.42.254	check_reload_status: Rewriting resolv.conf
2013-01-26 00:51:08	User.Notice	172.24.42.254	check_reload_status: rc.newwanip starting pppoe1
2013-01-26 00:51:08	Daemon.Info	172.24.42.254	ppp: [wan] IFACE: Up event
2013-01-26 00:51:13	User.Warning	172.24.42.254	php: : rc.newwanip: Informational is starting pppoe1.
2013-01-26 00:51:13	User.Warning	172.24.42.254	php: : rc.newwanip: on (IP address: 50.21.131.246) (interface: wan) (real interface: pppoe1).
2013-01-26 00:51:13	User.Warning	172.24.42.254	php: : ROUTING: setting default route to 10.249.0.3
2013-01-26 00:51:13	User.Error	172.24.42.254	apinger: Exiting on signal 15.
2013-01-26 00:51:13	Daemon.Info	172.24.42.254	dnsmasq[63143]: reading /etc/resolv.conf
2013-01-26 00:51:13	Daemon.Info	172.24.42.254	dnsmasq[63143]: using nameserver 24.226.147.201#53
2013-01-26 00:51:13	Daemon.Info	172.24.42.254	dnsmasq[63143]: using nameserver 10.249.0.3#53
2013-01-26 00:51:13	Daemon.Warning	172.24.42.254	dnsmasq[63143]: ignoring nameserver 127.0.0.1 - local interface
2013-01-26 00:51:13	User.Notice	172.24.42.254	check_reload_status: Linkup starting fxp0
2013-01-26 00:51:13	Kernel.Notice	172.24.42.254	kernel: fxp0: link state changed to DOWN
2013-01-26 00:51:14	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-26 00:51:14	User.Error	172.24.42.254	apinger: Starting Alarm Pinger, apinger(34208)
2013-01-26 00:51:19	User.Warning	172.24.42.254	php: : Resyncing OpenVPN instances for interface WAN.
2013-01-26 00:51:19	User.Warning	172.24.42.254	php: : Creating rrd update script
2013-01-26 00:51:20	Daemon.Info	172.24.42.254	ntpd[21789]: Terminating
2013-01-26 00:51:20	User.Warning	172.24.42.254	php: : The command '/usr/bin/killall 'ntpd'' returned exit code '1', the output was 'killall: warning: kill -TERM 20534: No such process'
2013-01-26 00:51:24	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.3)  *** down ***
2013-01-26 00:51:34	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-26 00:51:35	User.Warning	172.24.42.254	php: : OpenNTPD is starting up.
2013-01-26 00:51:35	User.Warning	172.24.42.254	php: : pfSense package system has detected an ip change 50.21.133.25 ->   ... Restarting packages.
2013-01-26 00:51:35	User.Notice	172.24.42.254	check_reload_status: Starting packages
2013-01-26 00:51:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: no reply to 1 echo request(s)
2013-01-26 00:51:40	User.Warning	172.24.42.254	php: : Restarting/Starting all packages.
2013-01-26 00:51:48	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: no reply to 2 echo request(s)
2013-01-26 00:51:50	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-26 00:51:50	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-26 00:51:50	User.Warning	172.24.42.254	php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting.
2013-01-26 00:51:51	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-26 00:51:51	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-26 00:51:51	User.Warning	172.24.42.254	php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting.
2013-01-26 00:51:51	User.Warning	172.24.42.254	php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting.
2013-01-26 00:51:51	User.Notice	172.24.42.254	check_reload_status: Linkup starting fxp0
2013-01-26 00:51:51	Kernel.Notice	172.24.42.254	kernel: fxp0: link state changed to UP
2013-01-26 00:51:52	User.Warning	172.24.42.254	php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting.
2013-01-26 00:51:58	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: no reply to 3 echo request(s)
2013-01-26 00:52:07	Daemon.Info	172.24.42.254	SnortStartup[27729]: Snort STOP For Wan Snort(18203_pppoe1)...
2013-01-26 00:52:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: no reply to 4 echo request(s)
2013-01-26 00:52:09	Daemon.Info	172.24.42.254	SnortStartup[29350]: Snort STOP For Lan(53096_bridge0)...
2013-01-26 00:52:09	Cron.Info	172.24.42.254	/usr/sbin/cron[30517]: (CRON) DEATH (cron already running, pid: 35579)
2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]: Found pid path directive (/var/run)
2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]: Running in IDS mode
2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]:
2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]:         --== Initializing Snort ==--
2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]: Initializing Output Plugins!
2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]: Initializing Preprocessors!
2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]: Initializing Plug-ins!

...

2013-01-26 00:52:10	Daemon.Notice	172.24.42.254	snort[31229]:       Gzip Decompress Depth: 65535
2013-01-26 00:52:10	Daemon.Error	172.24.42.254	snort[21578]: *** Caught Term-Signal
2013-01-26 00:52:10	Daemon.Notice	172.24.42.254	snort[31229]:     DEFAULT SERVER CONFIG:
2013-01-26 00:52:10	Kernel.Info	172.24.42.254	kernel: bridge0: promiscuous mode disabled
2013-01-26 00:52:10	Daemon.Notice	172.24.42.254	snort[31229]:       Server profile: All
2013-01-26 00:52:10	Daemon.Notice	172.24.42.254	snort[31229]:       Ports (PAF): 80 901 3128 8080 9000
2013-01-26 00:52:10	Daemon.Notice	172.24.42.254	snort[31229]:       Server Flow Depth: 300

...

2013-01-26 00:52:11	Daemon.Notice	172.24.42.254	snort[21578]:         Server seg reassembled: 0
2013-01-26 00:52:11	Daemon.Notice	172.24.42.254	snort[21578]: ===============================================================================
2013-01-26 00:52:11	Daemon.Error	172.24.42.254	snort[21578]: Could not remove pid file /var/run/snort_bridge053096.pid: No such file or directory
2013-01-26 00:52:11	Daemon.Notice	172.24.42.254	snort[21578]: Snort exiting
2013-01-26 00:52:14	User.Error	172.24.42.254	apinger: Error while feeding rrdtool: Broken pipe
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: no reply to 5 echo request(s)
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: peer not responding to echo requests
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Opened --> Stopping
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: Leave bundle "wan"
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] Bundle: Status update: up 0 links, total bandwidth 9600 bps
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Close event
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Opened --> Closing
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendTerminateReq #4
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: LayerDown
2013-01-26 00:52:18	User.Notice	172.24.42.254	ppp-linkdown: Removing states from 50.21.131.246/32
2013-01-26 00:52:18	User.Notice	172.24.42.254	ppp-linkdown: Removing states to 10.249.0.3
2013-01-26 00:52:18	User.Notice	172.24.42.254	check_reload_status: Rewriting resolv.conf
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IFACE: Down event
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Down event
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: LayerFinish
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] Bundle: No NCPs left. Closing links...
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Closing --> Initial
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendTerminateReq #5
2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerDown
2013-01-26 00:52:20	User.Notice	172.24.42.254	check_reload_status: Linkup starting fxp0

2013-01-26 00:52:20	Kernel.Notice	172.24.42.254	kernel: fxp0: link state changed to DOWN
2013-01-26 00:52:20	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendTerminateReq #6
2013-01-26 00:52:21	User.Notice	172.24.42.254	check_reload_status: Linkup starting fxp0
2013-01-26 00:52:21	Kernel.Notice	172.24.42.254	kernel: fxp0: link state changed to UP

2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Stopping --> Stopped
2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerFinish
2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection closed
2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Stopped --> Starting
2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerStart
2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 1 in 2 seconds
2013-01-26 00:52:24	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 1
2013-01-26 00:52:24	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
2013-01-26 00:52:26	Daemon.Info	172.24.42.254	dnsmasq[63143]: reading /etc/resolv.conf
2013-01-26 00:52:26	Daemon.Warning	172.24.42.254	dnsmasq[63143]: ignoring nameserver 127.0.0.1 - local interface
2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]: 12108 Snort rules read
2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]:     11703 detection rules
2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]:     142 decoder rules
2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]:     263 preprocessor rules
2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]: 12108 Option Chains linked into 1615 Chain Headers
2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]: 0 Dynamic rules
2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]: +++++++++++++++++++++++++++++++++++++++++++++++++++

...

2013-01-26 00:52:29	Daemon.Notice	172.24.42.254	snort[31229]: WARNING: flowbits key 'ET.MSSQL' is checked but not ever set.
2013-01-26 00:52:29	Daemon.Notice	172.24.42.254	snort[31229]: WARNING: flowbits key 'file.cws' is checked but not ever set.
2013-01-26 00:52:29	Daemon.Notice	172.24.42.254	snort[31229]: 110 out of 1024 flowbits in use.
2013-01-26 00:52:33	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE connection timeout after 9 seconds
2013-01-26 00:52:33	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
2013-01-26 00:52:33	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
2013-01-26 00:52:33	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 2 in 2 seconds
2013-01-26 00:52:35	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 2
2013-01-26 00:52:35	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]:
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: [ Port Based Pattern Matching Memory ]
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: +-[AC-BNFA Search Info Summary]------------------------------
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: | Instances        : 638
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: | Patterns         : 58364
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: | Pattern Chars    : 678018
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: | Num States       : 461596
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: | Num Match States : 51355
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: | Memory           :   10.77Mbytes
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: |   Patterns       :   1.98M
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: |   Match Lists    :   2.79M
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: |   Transitions    :   5.84M
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: +-------------------------------------------------
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: [ Number of patterns truncated to 20 bytes: 8688 ]
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: [ Number of null byte prefixed patterns trimmed: 4422 ]
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: pcap DAQ configured to passive.
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: The DAQ version does not support reload.
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: Acquiring network traffic from "pppoe1".
2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: Initializing daemon mode
2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Daemon initialized, signaled parent pid: 31229
2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Reload thread starting...
2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Reload thread started, thread 0x3d39a040 (1448)
2013-01-26 00:52:36	Daemon.Info	172.24.42.254	SnortStartup[1617]: Snort START For Wan Snort(18203_pppoe1)...
2013-01-26 00:52:36	Kernel.Info	172.24.42.254	kernel: pppoe1: promiscuous mode enabled
2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Decoding LoopBack
2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Checking PID path...
2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: PID path stat checked out ok, PID path set to /var/run
2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Writing PID "1448" to file "/var/run/snort_pppoe118203.pid"
2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]:
2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]:         --== Initialization Complete ==--
2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Commencing packet processing (pid=1448)
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: PPPoE: rec'd ACNAME "bas10-montreal02"
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection successful
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: UP event
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Up event
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Starting --> Req-Sent
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigReq #7
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM d3681604
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Request #77 (Req-Sent)
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 6bcdb8c1
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigAck #77
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 6bcdb8c1
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Ack #7 (Ack-Sent)
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM d3681604
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #1 len: 31
2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerUp
2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: Found pid path directive (/var/run)
2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: Running in IDS mode
2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]:
2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]:         --== Initializing Snort ==--
2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: Initializing Output Plugins!
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Request #1 (Opened)
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1462
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 6bcdb8c1
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerDown
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigReq #8
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM d3681604
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigAck #1
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1462
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 6bcdb8c1
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Opened --> Ack-Sent
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Ack #8 (Ack-Sent)
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM d3681604
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #1 len: 31
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerUp
2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: Initializing Preprocessors!
2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: Initializing Plug-ins!
2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: Parsing Rules file "/usr/local/etc/snort/snort_53096_bridge0/snort.conf"
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: rec'd ACK #1 len: 5
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: authorization successful
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: Matched action 'bundle "wan" ""'
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: Join bundle "wan"
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Open event
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Initial --> Starting
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: LayerStart
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Up event
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Starting --> Req-Sent
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigReq #5
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 0.0.0.0
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 0.0.0.0
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 0.0.0.0
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Request #11 (Req-Sent)
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 10.248.0.9
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]     10.248.0.9 is OK
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigAck #11
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 10.248.0.9
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Req-Sent --> Ack-Sent
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Reject #5 (Ack-Sent)
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigReq #6
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 0.0.0.0
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 0.0.0.0
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 0.0.0.0
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Nak #6 (Ack-Sent)
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 96.43.239.155
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]     96.43.239.155 is OK
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 10.248.0.9
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 24.226.147.201
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigReq #7
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 96.43.239.155
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 10.248.0.9
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 24.226.147.201
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Ack #7 (Ack-Sent)
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 96.43.239.155
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 10.248.0.9
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 24.226.147.201
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Ack-Sent --> Opened
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: LayerUp
2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   96.43.239.155 -> 10.248.0.9
2013-01-26 00:52:38	User.Notice	172.24.42.254	check_reload_status: Rewriting resolv.conf
2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: PortVar 'DNS_PORTS' defined :
2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]:  [ 53 ]

...

013-01-26 00:52:39	Daemon.Notice	172.24.42.254	snort[2994]:
2013-01-26 00:52:39	Daemon.Notice	172.24.42.254	snort[2994]: +++++++++++++++++++++++++++++++++++++++++++++++++++
2013-01-26 00:52:39	Daemon.Notice	172.24.42.254	snort[2994]: Initializing rule chains...
2013-01-26 00:52:39	User.Notice	172.24.42.254	check_reload_status: rc.newwanip starting pppoe1
2013-01-26 00:52:39	Daemon.Info	172.24.42.254	ppp: [wan] IFACE: Up event
2013-01-26 00:52:39	Daemon.Notice	172.24.42.254	snort[2994]: WARNING: /usr/local/etc/snort/snort_53096_bridge0/rules/snort.rules(536) threshold (in rule) is deprecated; use detection_filter instead.
2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf: 00:01:33.546462 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 249, id 41060, offset 0, flags [none], proto UDP (17), length 268)
2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf:     64.18.71.226.500 > 96.43.239.155.500: isakmp 1.0 msgid : phase 1 I ident:
2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf:     (sa: doi=ipsec situation=identity
2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf:         (p: #1 protoid=isakmp transform=3
2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf:             (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180))
2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf:             (t: #2 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180))
2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf:             (t: #3 id=ike (type=enc value=1des)(type=hash value=sha1)(type=group desc value=modp768)(type=auth value=rsa sig)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)))) [|vid]
2013-01-26 00:52:44	User.Warning	172.24.42.254	php: : rc.newwanip: Informational is starting pppoe1.
2013-01-26 00:52:44	User.Warning	172.24.42.254	php: : rc.newwanip: on (IP address: 96.43.239.155) (interface: wan) (real interface: pppoe1).
2013-01-26 00:52:44	User.Warning	172.24.42.254	php: : ROUTING: setting default route to 10.248.0.9
2013-01-26 00:52:44	User.Error	172.24.42.254	apinger: Exiting on signal 15.
2013-01-26 00:52:45	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-26 00:52:45	User.Error	172.24.42.254	apinger: Starting Alarm Pinger, apinger(8518)
2013-01-26 00:52:48	Daemon.Notice	172.24.42.254	snort[2994]: 9531 Snort rules read
2013-01-26 00:52:48	Daemon.Notice	172.24.42.254	snort[2994]:     9126 detection rules
...
2013-01-26 00:52:50	Daemon.Notice	172.24.42.254	snort[2994]: WARNING: flowbits key 'imagesource.redefine' is set but not ever checked.
2013-01-26 00:52:50	Daemon.Notice	172.24.42.254	snort[2994]: WARNING: flowbits key 'file.pdf' is checked but not ever set.
2013-01-26 00:52:50	Daemon.Notice	172.24.42.254	snort[2994]: 82 out of 1024 flowbits in use.
2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf: 00:00:10.164279 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 249, id 44376, offset 0, flags [none], proto UDP (17), length 268)
2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf:     64.18.71.226.500 > 96.43.239.155.500: isakmp 1.0 msgid : phase 1 I ident:
2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf:     (sa: doi=ipsec situation=identity
2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf:         (p: #1 protoid=isakmp transform=3
2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf:             (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180))
2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf:             (t: #2 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180))
2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf:             (t: #3 id=ike (type=enc value=1des)(type=hash value=sha1)(type=group desc value=modp768)(type=auth value=rsa sig)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)))) [|vid]
2013-01-26 00:52:51	User.Warning	172.24.42.254	php: : Resyncing OpenVPN instances for interface WAN.
2013-01-26 00:52:51	User.Warning	172.24.42.254	php: : Creating rrd update script
2013-01-26 00:52:51	Daemon.Info	172.24.42.254	ntpd[17407]: Terminating
2013-01-26 00:52:51	User.Warning	172.24.42.254	php: : The command '/usr/bin/killall 'ntpd'' returned exit code '1', the output was 'killall: warning: kill -TERM 43483: No such process'
2013-01-26 00:52:51	User.Warning	172.24.42.254	php: : OpenNTPD is starting up.
2013-01-26 00:52:51	User.Warning	172.24.42.254	php: : pfSense package system has detected an ip change 50.21.131.246 ->   ... Restarting packages.
2013-01-26 00:52:51	User.Notice	172.24.42.254	check_reload_status: Starting packages
2013-01-26 00:52:51	Daemon.Info	172.24.42.254	dnsmasq[63143]: reading /etc/resolv.conf
2013-01-26 00:52:51	Daemon.Info	172.24.42.254	dnsmasq[63143]: using nameserver 24.226.147.201#53
2013-01-26 00:52:51	Daemon.Info	172.24.42.254	dnsmasq[63143]: using nameserver 10.248.0.9#53
2013-01-26 00:52:51	Daemon.Warning	172.24.42.254	dnsmasq[63143]: ignoring nameserver 127.0.0.1 - local interface
2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[2994]:
...
2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[2994]: Initializing daemon mode
2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Daemon initialized, signaled parent pid: 2994
2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Reload thread starting...
2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Reload thread started, thread 0x3bded640 (54882)
2013-01-26 00:52:56	Kernel.Info	172.24.42.254	kernel: bridge0: promiscuous mode enabled
2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Decoding Ethernet
2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Checking PID path...
2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: PID path stat checked out ok, PID path set to /var/run
2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Writing PID "54882" to file "/var/run/snort_bridge053096.pid"
2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]:
2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]:         --== Initialization Complete ==--
2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Commencing packet processing (pid=54882)
2013-01-26 00:52:57	User.Warning	172.24.42.254	php: : Restarting/Starting all packages.
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:07.065875 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13863, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)]
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13863, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)]
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.005788 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13871, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)]
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000017 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13871, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)]
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000008 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13871, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)]
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.043814 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13897, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)]
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000040 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13897, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)]
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000006 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13897, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)]
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.225489 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13918, offset 0, flags [none], proto IGMP (2), length 48, options (RA))
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] [gaddr 224.0.0.253 to_ex, 0 source(s)]
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000033 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13918, offset 0, flags [none], proto IGMP (2), length 48, options (RA))
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] [gaddr 224.0.0.253 to_ex, 0 source(s)]
2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000007 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13918, offset 0, flags [none], proto IGMP (2), length 48, options (RA))

    2.4.5-RELEASE-p1 (amd64)
    Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
    Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

    1 Reply Last reply Reply Quote 0
    • K
      kilthro
      last edited by Jan 26, 2013, 10:25 AM

      Since I have updated snort with the most recent update, the auto update continues to fail. This is the second day in a row that it has not successfully updated and restarted it self. If I manually do updates or restart the service all is good. It seems to be starting too soon and kicking up empty rules directories and errors out. I didnt have this problem on the previous version and I know there was a fix implemented for it to reload in a certain way. Did this somehow get reverted?

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by Jan 26, 2013, 11:17 AM

        I have issues as well….

        update_error.jpg
        update_error.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • B
          bmeeks
          last edited by Jan 26, 2013, 3:03 PM

          I will take a look at the UPDATES errors.

          The other post about blocking the WAN IP when it changes (PPPoE, I think was the poster's connection) might be a bit tougher to resolve.  Will look into it, though.

          Bill

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by Jan 26, 2013, 3:05 PM

            I made some fixes and bumped the snort version so check it out

            1 Reply Last reply Reply Quote 0
            • S
              Supermule Banned
              last edited by Jan 26, 2013, 3:26 PM

              How many of Bills improvements have you incorporated Ermal??

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by Jan 26, 2013, 3:38 PM

                I made fixes that might fix the issue on wan ip changing.

                Supermule,
                all he submitted and corrected some issues with it.
                Why you asking?

                1 Reply Last reply Reply Quote 0
                • S
                  Supermule Banned
                  last edited by Jan 26, 2013, 3:50 PM

                  Just curious :)

                  I think he is doing a good job with this package! Thanks for the bump of package.

                  Everything seems to be running fine in this end :)

                  1 Reply Last reply Reply Quote 0
                  • E
                    eri--
                    last edited by Jan 26, 2013, 4:20 PM

                    He did exactly what i wanted to do.
                    I corrected some issues on his code with the latest fixes mostly for preventing foot-shooting during update.

                    It just misses to select rules based on enabled preprocessors and it should be fairly stable in that regard.

                    I just pushed a patch to silence the damn snort with its thousands log entries during startup and left just the error/fatal messages.
                    When it gets recompiled it would be easier to even read syslog and the errors of the pacakge.

                    1 Reply Last reply Reply Quote 0
                    • S
                      Supermule Banned
                      last edited by Jan 26, 2013, 4:57 PM

                      Thanks Ermal! Much appreciated :)

                      Great work both of you!

                      1 Reply Last reply Reply Quote 0
                      • R
                        RonpfS
                        last edited by Jan 26, 2013, 6:08 PM

                        @ermal:

                        I just pushed a patch to silence the damn snort with its thousands log entries during startup and left just the error/fatal messages.
                        When it gets recompiled it would be easier to even read syslog and the errors of the pacakge.

                        Thanks Ermal

                        I see the 2.5.4 available, but there are commits after this, will the version bump again when you get it recompiled or every commit generate a new package?

                        2.4.5-RELEASE-p1 (amd64)
                        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                        1 Reply Last reply Reply Quote 0
                        • E
                          eri--
                          last edited by Jan 26, 2013, 8:27 PM

                          NAh i just pushed the last one which should be it.
                          I do not plan on committing more on it for now.

                          1 Reply Last reply Reply Quote 0
                          • K
                            kilthro
                            last edited by Jan 26, 2013, 9:09 PM

                            Wow thanks for the quick responses. I will grab the update and give it a shot. You guys are awesome!

                            1 Reply Last reply Reply Quote 0
                            • B
                              bmeeks
                              last edited by Jan 26, 2013, 10:24 PM Jan 26, 2013, 10:21 PM

                              Ermal's fix and mine passed each other in cyberspace on the way to the servers… ;D

                              Hopefully the Snort package will be stable for all now with the new features for flowbit resolution and the ability to use Snort VRT pre-defined policies if you want to.  The pre-defined policy feature can be very useful to new Snort users, or even casual users, who just want some basic protection.  You can enable either the Connectivity or Balanced policy, and then just sort of let it run.

                              A big shout-out to Ermal for responding quickly and fixing the nasty bug in the rules update.  That one got introduced a little over a day ago while adding some robust error checking to the code.

                              Bill

                              1 Reply Last reply Reply Quote 0
                              • K
                                kilthro
                                last edited by Jan 27, 2013, 2:11 AM

                                @ermal:

                                I just pushed a patch to silence the damn snort with its thousands log entries during startup and left just the error/fatal messages.
                                When it gets recompiled it would be easier to even read syslog and the errors of the pacakge.

                                Thanks so much for this! It was annoying to have the sys log fill every restart.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  swinn
                                  last edited by Jan 27, 2013, 7:33 PM Jan 27, 2013, 6:24 AM

                                  Snort will no longer start: (I changed the IP's below with the asterisks)
                                  Looks like there is no subnet set for the IPv6 address.

                                  Jan 27 00:23:21 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)... 
Jan 27 00:23:21 snort[43598]: FATAL ERROR: /usr/local/etc/snort/snort_51073_em0/snort.conf(6) Failed to parse the IP address: [127.0.0.1,192.168.0.0/16,75.131.*.*,2602:100:*:*::,75.131.*.*/20,2602:100:*:*::/,75.131.112.1,24.159.64.23,4.2.2.4,2607:f428:1::5353:1,2607:f428:2::5353:1,192.168.2.0/24]. 
Jan 27 00:23:19 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)... 
Jan 27 00:22:13 check_reload_status: Syncing firewall 
Jan 27 00:20:54 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)... 
Jan 27 00:20:54 snort[95541]: FATAL ERROR: /usr/local/etc/snort/snort_51073_em0/snort.conf(6) Failed to parse the IP address: [127.0.0.1,75.131.*.*,2602:100:*:*::,75.131.*.*/20,2602:100:*:*::/,75.131.112.1,24.159.64.23,4.2.2.4,2607:f428:1::5353:1,2607:f428:2::5353:1,192.168.2.0/24]. 
Jan 27 00:20:51 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...
                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tester_02
                                    last edited by Jan 27, 2013, 6:37 AM

                                    Updated snort today, now it does not start.  Error is…

                                    snort[4286]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"

                                    I disabled the bad traffic rules (so and non so) and it still fails to start.  reinstalled package again, and no go..  Was working for quite a while.  Had not updated for a month, but thought from the thread here that it was stable.

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      RonpfS
                                      last edited by Jan 27, 2013, 7:39 AM

                                      Just went for a re-install of Snort 2.9.2.3 pkg v. 2.5.4  ::)

                                      
2013-01-27 02:16:43	Auth.Emerg	172.24.42.254	php: /status_rrd_graph.php: Successful webConfigurator login for user 'admin' from 172.24.48.84
2013-01-27 02:16:45	Local0.Info	172.24.42.254	pf: 00:00:02.978226 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 9, id 34704, offset 0, flags [none], proto UDP (17), length 52)
2013-01-27 02:16:45	Local0.Info	172.24.42.254	pf:     68.209.243.115.34612 > 50.21.133.210.33526: UDP, length 24
2013-01-27 02:16:47	Local0.Info	172.24.42.254	pf: 00:00:01.870908 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 52039, offset 0, flags [DF], proto TCP (6), length 83)
2013-01-27 02:16:47	Local0.Info	172.24.42.254	pf:     76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x6769 (correct), seq 3683470708:3683470739, ack 2243077203, win 44064, options [nop,nop,TS val 1236008655 ecr 155036732], length 31
2013-01-27 02:16:48	Local0.Info	172.24.42.254	pf: 00:00:01.152559 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 9, id 34705, offset 0, flags [none], proto UDP (17), length 52)
2013-01-27 02:16:48	Local0.Info	172.24.42.254	pf:     68.209.243.115.34612 > 50.21.133.210.33527: UDP, length 24
2013-01-27 02:16:51	Local0.Info	172.24.42.254	pf: 00:00:03.027552 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 10, id 34706, offset 0, flags [none], proto UDP (17), length 52)
2013-01-27 02:16:51	Local0.Info	172.24.42.254	pf:     68.209.243.115.34612 > 50.21.133.210.33528: UDP, length 24
2013-01-27 02:17:00	Daemon.Notice	172.24.42.254	snort[41717]: S5: Session exceeded configured max bytes to queue 1048576 using 1049922 bytes (client queue). 135.19.140.229 52457 --> 172.24.48.32 18447 (0) : LWstate 0xf LWFlags 0x406007
2013-01-27 02:17:03	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:17:07	Daemon.Notice	172.24.42.254	snort[41717]: S5: Session exceeded configured max bytes to queue 1048576 using 1049226 bytes (server queue). 121.157.96.186 52598 --> 172.24.48.32 18447 (0) : LWstate 0xf LWFlags 0x406007
2013-01-27 02:17:13	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:17:15	User.Error	172.24.42.254	apinger: alarm canceled: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:17:25	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-27 02:17:25	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-27 02:17:25	Daemon.Error	172.24.42.254	snort[41717]: *** Caught Term-Signal
2013-01-27 02:17:25	Daemon.Error	172.24.42.254	snort[10973]: *** Caught Term-Signal
2013-01-27 02:17:25	Kernel.Info	172.24.42.254	kernel: bridge0: promiscuous mode disabled
2013-01-27 02:17:25	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:17:25	Kernel.Info	172.24.42.254	kernel: pppoe1: promiscuous mode disabled
2013-01-27 02:17:26	Daemon.Notice	172.24.42.254	snort[41717]: ===============================================================================
2013-01-27 02:17:26	Daemon.Notice	172.24.42.254	snort[41717]: Run time for packet processing was 91065.975548 seconds
2013-01-27 02:17:26	Daemon.Notice	172.24.42.254	snort[41717]: Snort processed 13503818 packets.

2013-01-27 02:17:27	Daemon.Notice	172.24.42.254	snort[10973]: | gen-id=120    sig-id=8          type=Suppress  tracking=none filtered=51
2013-01-27 02:17:35	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Beginning package installation for snort.
2013-01-27 02:17:36	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-27 02:17:40	Local0.Info	172.24.42.254	pf: 00:00:48.508720 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 105, id 19829, offset 0, flags [none], proto UDP (17), length 95)
2013-01-27 02:17:40	Local0.Info	172.24.42.254	pf:     71.45.120.110.6112 > 50.21.133.210.3912: UDP, length 67
2013-01-27 02:17:41	Local0.Info	172.24.42.254	pf: 00:00:01.004974 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 26462, offset 0, flags [DF], proto TCP (6), length 360)
2013-01-27 02:17:41	Local0.Info	172.24.42.254	pf:     124.122.251.67.50603 > 172.24.48.32.18447: Flags [FP.], seq 0:308, ack 1, win 8460, options [nop,nop,TS val 855935432 ecr 155013193], length 308
2013-01-27 02:17:51	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:17:52	Local0.Info	172.24.42.254	pf: 00:00:11.146024 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 357, offset 0, flags [DF], proto TCP (6), length 83)
2013-01-27 02:17:52	Local0.Info	172.24.42.254	pf:     76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x6d33 (correct), seq 0:31, ack 1, win 44064, options [nop,nop,TS val 1236072708 ecr 155036732], length 31
2013-01-27 02:18:00	Cron.Info	172.24.42.254	/usr/sbin/cron[20360]: (*system*) RELOAD (/etc/crontab)
2013-01-27 02:18:01	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:18:06	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
2013-01-27 02:18:06	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
2013-01-27 02:18:06	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
2013-01-27 02:18:07	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
2013-01-27 02:18:07	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-27 02:18:07	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:18:08	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-27 02:18:15	User.Error	172.24.42.254	apinger: alarm canceled: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:18:25	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:18:45	Local0.Info	172.24.42.254	pf: 00:00:53.416103 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 10930, offset 0, flags [DF], proto TCP (6), length 360)
2013-01-27 02:18:45	Local0.Info	172.24.42.254	pf:     124.122.251.67.50603 > 172.24.48.32.18447: Flags [FP.], seq 0:308, ack 1, win 8460, options [nop,nop,TS val 855936072 ecr 155013193], length 308
2013-01-27 02:18:47	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:18:49	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_smtp_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_ssl_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_dce2_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_dns_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_pop_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_imap_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_smtp_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_dce2_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_dns_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
2013-01-27 02:18:57	User.Error	172.24.42.254	apinger: alarm canceled: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:18:57	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:18:58	Local0.Info	172.24.42.254	pf: 00:00:12.500097 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 7989, offset 0, flags [DF], proto TCP (6), length 83)
2013-01-27 02:18:58	Local0.Info	172.24.42.254	pf:     76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x72fa (correct), seq 0:31, ack 1, win 44064, options [nop,nop,TS val 1236136764 ecr 155036732], length 31
2013-01-27 02:19:00	Cron.Info	172.24.42.254	/usr/sbin/cron[20360]: (*system*) RELOAD (/etc/crontab)
2013-01-27 02:19:06	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Snort MD5 Attempts: 1
2013-01-27 02:19:06	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: There is a new set of Snort.org rules posted. Downloading...
2013-01-27 02:19:07	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:19:23	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:19:31	User.Error	172.24.42.254	apinger: alarm canceled: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:19:33	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:19:41	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf: 00:00:46.492618 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34037, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 3864903423, win 131, length 58
2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf: 00:00:00.000044 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34038, offset 0, flags [DF], proto TCP (6), length 67)
2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [FP.], cksum 0x0993 (correct), seq 58:85, ack 1, win 131, length 27
2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf: 00:00:00.510370 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34039, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:19:45	Local0.Info	172.24.42.254	pf: 00:00:01.019304 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34040, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:19:45	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:19:48	Local0.Info	172.24.42.254	pf: 00:00:02.051460 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34041, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:19:48	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:19:49	Local0.Info	172.24.42.254	pf: 00:00:01.904027 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 42928, offset 0, flags [DF], proto TCP (6), length 360)
2013-01-27 02:19:49	Local0.Info	172.24.42.254	pf:     124.122.251.67.50603 > 172.24.48.32.18447: Flags [FP.], seq 0:308, ack 1, win 8460, options [nop,nop,TS val 855936712 ecr 155013193], length 308
2013-01-27 02:19:52	Local0.Info	172.24.42.254	pf: 00:00:02.148327 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34042, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:19:52	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:19:59	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Snort Rules Attempts: 1
2013-01-27 02:19:59	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: There is a new set of Emergingthreats rules posted. Downloading...
2013-01-27 02:20:00	Local0.Info	172.24.42.254	pf: 00:00:08.102416 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34043, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:20:00	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:20:00	Cron.Info	172.24.42.254	/usr/sbin/cron[24641]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc)
2013-01-27 02:20:02	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Emergingthreats rules file update downloaded succsesfully
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: 00:00:03.031497 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 41, id 0, offset 0, flags [DF], proto UDP (17), length 441)
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf:     112.64.146.77.5101 > 50.21.133.210.5060: SIP, length: 413
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: <009>OPTIONS sip:100@50.21.133.210 SIP/2.0
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: <009>Via: SIP/2.0/UDP 112.64.146.77:5101;branch=z9hG4bK-89865205;rport
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: <009>Content-Length: 0
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: <009>From: "sipvicious"<sip:100@1.1.1.1>; ta#\0xd5\0x04Q\0xca3\0x04\0x00\0x93\0x00\0x00\0x00\0x93\0x00\0x00\0x00\0x14\0x00\0x00\0x00=\0x02\0x01\0x00bridge0\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x02\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00\0x8aQ\0x00\0x00\0x02\0x00\0x00\0x00E\0x00\0x00S!\0xbb@\0x000\0x06\0xe49L@\0x1c8\0xac\0x180 \0xeb$H\0x0f\0xdb\0x8dMt\0x85\0xb2\0xa4S\0x80\0x19\0xac x\0xd5\0x00\0x00\0x01\0x01\0x08\0x0aI\0xae\0xed`\0x09=\0xac<\0x0b\0x19T\0x1fr\0x0c*I\0xba\0x9ec\0xff\0xc0\0xbc\0xfa\0x14\0xe75\0xf9q\0xc8\0x0a\0xa4\0x96\0xddFT\0x178\0x84\0x0e^ \0xee\0xff\0xd3\0xe6]\0xbe\0xffP\0x18\0x00\0x83bY\0x00\0x00\0x17\0x03\0x01\0x005MT\0xe1H/\0xd7\0x9aN\0xaf\0xf3\0x11\0xd4pA\0x10is\0xa8\0x09;\0x8c\0xa8\0xe8\0xcf\0x81qJw\0xeb^B\0xbc\0x17f\0x07B\0x1b\0x11\0x98v\0xb2+z\0x17F{FV\0xc2\0xc6\0xf0w\0x80\0x00\0x00\0x00\0x00\0x00\0x00\0x00
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: 00:00:00.230625 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 8635, offset 0, flags [DF], proto TCP (6), length 83)
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf:     76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x78d5 (correct), seq 0:31, ack 1, win 44064, options [nop,nop,TS val 1236200800 ecr 155036732], length 31
2013-01-27 02:20:16	Local0.Info	172.24.42.254	pf: 00:00:13.026235 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34044, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:20:16	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:20:25	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Updating rules configuration for: WAN ...
2013-01-27 02:20:29	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Updating rules configuration for: LAN ...
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Found pid path directive (/var/run)
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Running in IDS mode
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:         --== Initializing Snort ==--
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Initializing Output Plugins!
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Initializing Preprocessors!
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Initializing Plug-ins!
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Parsing Rules file "/usr/local/etc/snort/snort_18203_pppoe1/snort.conf"
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: PortVar 'DNS_PORTS' defined :
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:  [ 53 ]

...

2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: PortVar 'MODBUS_PORTS' defined :
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:  [ 502 ]
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Detection:
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:    Search-Method = AC-BNFA-Q
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:     Search-Method-Optimizations = enabled
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:     Maximum pattern length = 20
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Found pid path directive (/var/run)
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Tagged Packet Limit: 256
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine...
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine.
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:   Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules...
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:   Loading dynamic detection library /usr/local/lib/snort/dynamicrules/bad-traffic.so...
2013-01-27 02:20:32	Daemon.Error	172.24.42.254	snort[29577]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
2013-01-27 02:20:32	Daemon.Info	172.24.42.254	SnortStartup[29590]: Snort START For Wan Snort(18203_pppoe1)...
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Found pid path directive (/var/run)
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Running in IDS mode
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]:
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]:         --== Initializing Snort ==--
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Initializing Output Plugins!
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Initializing Preprocessors!
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Initializing Plug-ins!
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Parsing Rules file "/usr/local/etc/snort/snort_53096_bridge0/snort.conf"
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: PortVar 'DNS_PORTS' defined :
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]:  [ 53 ]

...

2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Detection:
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:    Search-Method = AC-BNFA-Q
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:     Search-Method-Optimizations = enabled
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:     Maximum pattern length = 20
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Found pid path directive (/var/run)
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Tagged Packet Limit: 256
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine...
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine.
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:   Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules...
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:   Loading dynamic detection library /usr/local/lib/snort/dynamicrules/bad-traffic.so...
2013-01-27 02:20:35	Daemon.Error	172.24.42.254	snort[30298]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
2013-01-27 02:20:35	Daemon.Info	172.24.42.254	SnortStartup[30417]: Snort START For Lan(53096_bridge0)...
2013-01-27 02:20:49	Local0.Info	172.24.42.254	pf: 00:00:32.574901 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34045, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:20:49	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:20:55	Local0.Info	172.24.42.254	pf: 00:00:05.274322 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 61566, offset 0, flags [DF], proto TCP (6), length 40)
2013-01-27 02:20:55	Local0.Info	172.24.42.254	pf:     124.122.251.67.50603 > 172.24.48.32.18447: Flags [R.], cksum 0x605b (correct), seq 309, ack 1, win 8460, length 0
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Found pid path directive (/var/run)
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Running in IDS mode
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:         --== Initializing Snort ==--
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Initializing Output Plugins!
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Initializing Preprocessors!
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Initializing Plug-ins!
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Parsing Rules file "/usr/local/etc/snort/snort_18203_pppoe1/snort.conf"
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: PortVar 'DNS_PORTS' defined :
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:  [ 53 ]
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:

...

2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Detection:
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:    Search-Method = AC-BNFA-Q
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:     Search-Method-Optimizations = enabled
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:     Maximum pattern length = 20
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: Found pid path directive (/var/run)
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: Tagged Packet Limit: 256
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine...
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine.
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]:   Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules...
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]:   Loading dynamic detection library /usr/local/lib/snort/dynamicrules/bad-traffic.so...
2013-01-27 02:20:58	Daemon.Error	172.24.42.254	snort[34948]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
2013-01-27 02:20:58	Daemon.Info	172.24.42.254	SnortStartup[35000]: Snort START For Wan Snort(18203_pppoe1)...
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Found pid path directive (/var/run)
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Running in IDS mode
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]:
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]:         --== Initializing Snort ==--
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Initializing Output Plugins!
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Initializing Preprocessors!
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Initializing Plug-ins!
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Parsing Rules file "/usr/local/etc/snort/snort_53096_bridge0/snort.conf"
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: PortVar 'DNS_PORTS' defined :
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]:  [ 53 ]</sip:100@1.1.1.1>

                                      No luck

                                      Remove , install, update rules and it started ok

                                      Is there a 'requirement' to have a re-install button?  ???
                                      I could live without it  ;D

                                      2.4.5-RELEASE-p1 (amd64)
                                      Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                                      Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Supermule Banned
                                        last edited by Jan 27, 2013, 9:13 AM

                                        Why does the package reinstall doesnt work, but the package delete- reinstall does?

                                        1 Reply Last reply Reply Quote 0
                                        • E
                                          eri--
                                          last edited by Jan 27, 2013, 9:33 AM

                                          It should work after updating to 2.5.4 previously it was removing some files that were not being restored after an update.
                                          There is some resolution missing for enabled disabled preprocessors.

                                          After you get it running it will run ok.
                                          I will have to find some time to get back to solve this last bits and making it less error prone to this install/reinstall and using rules when the preprocessor is not active but for now you just have to find the preprocessors needed and activate them.

                                          1 Reply Last reply Reply Quote 0
                                          264 out of 331
                                          • First post
                                            264/331
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.