Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort & PPPoE: Snort refuses to start(?)

    Scheduled Pinned Locked Moved pfSense Packages
    45 Posts 9 Posters 12.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mr. Jingles
      last edited by

      @bmeeks:

      @Hollander:

      The killall instructions you gave return nothing:

      
      [2.0.3-RELEASE][admin@pfsense.localdomain]/root(2): /usr/bin/killall snort
      No matching processes were found
      [2.0.3-RELEASE][admin@pfsense.localdomain]/root(3): ps -ax | grep snort
      [2.0.3-RELEASE][admin@pfsense.localdomain]/root(4):
      
      

      I can press as many times 'start' (the green icon) as I want to, it stays green and also the dashboard service widget shows all packages running except for Snort; that is stopped, and starting it from that dashboard widget also doesn't make it run. Starting it from the shell:

      
      [2.0.3-RELEASE][admin@pfsense.localdomain]/root(8): /usr/local/etc/rc.d/snort.sh start
      [2.0.3-RELEASE][admin@pfsense.localdomain]/root(9):
      
      

      (I don't know what that means).

      But in the GUI Snort is still stopped.

      And for a slightly less stupid (but still not the brightest  :-[) question: is there another Snort log I should look into (via the shell) in addition to the general system log in the GUI?

      Thank you very much for any help  ;D

      [/quote]

      I see from the posted snort.sh script that you are running Snort on a PPPoE interface.  I've never done that.  I know within pfSense that's a special kind of interface quite unlike the normal physical interfaces.  Maybe some other users can chime in that may be running Snort successfully on a PPPoE connection.  It could be that PPPoE and Snort don't like each other, but I don't know that for sure.  I've just never encountered that configuration.

      As for your second question relative to logs, there is really just the system log.  You can see part of it in the GUI, or you can go to /var/log/system.log and see it all.  Other than a separate rules update log, there is no separate log file for Snort (aside from the alerts log, but no system startup/error messages get printed there).

      Bill

      6 and a half billion people know that they are stupid, agressive, lower life forms.

      1 Reply Last reply Reply Quote 0
      • M
        Mr. Jingles
        last edited by

        @bmeeks:

        I see from the posted snort.sh script that you are running Snort on a PPPoE interface.  I've never done that.  I know within pfSense that's a special kind of interface quite unlike the normal physical interfaces.  Maybe some other users can chime in that may be running Snort successfully on a PPPoE connection.  It could be that PPPoE and Snort don't like each other, but I don't know that for sure.  I've just never encountered that configuration.

        Bill

        Thank you very much for your reply, Bill  ;D

        I was sort of  :o ??? about your remark about the PPPoE; I thought (but please forgive me, I am a noob) that everybody who is on ADSL/VDSL uses PPPoE? Is there another way?

        Is there something else I should try/can try?

        And, if I may, another question, just for me to try to understand then:

        • Before my upgrades I was on 2.0.2, with the previous Snort, but also (due to a PPPoE-problem in 2.0.2) PFS-WAN got an internal IP (192.168.1.2) from the ISP modem/router (192.168.1.1), and the PFS-LAN was on another subnet.
        • In that situation Snort was running (but wasn't really doing anything useful, as all it did (according to the snort-messages in the dashboard) was telling me about some sort of category-3 events between PFS-WAN and 192.168.1.1 (the ISP-modem/router)).
        • So if I may ask: what was the 'type of connection' PFS-WAN -> ISP-modem/router there then? I mean: surely not the PPPoE which Snort might not like, but what then? And if other people don't use PPPoE but this kind of connection, Snort won't be useful then, will it? (given that it filters PFS-WAN <-> ISP modem/router which in my situation didn't show anything useful).

        Thank you again Bill  ;D

        6 and a half billion people know that they are stupid, agressive, lower life forms.

        1 Reply Last reply Reply Quote 0
        • M
          Mr. Jingles
          last edited by

          @Supermule:

          Could it be related to the fact that you use a private IP as WAN and then Snort doesnt see it because of the definition of home net??

          Thank you for your reply :-)

          No, that was the old situation in 2.0.2, where Snort was at least running. In the new situation, 2.0.3, the PPPoE dial up is fixed so the WAN is now directly the external IP from my ISP. And now Snort refuses to run.

          6 and a half billion people know that they are stupid, agressive, lower life forms.

          1 Reply Last reply Reply Quote 0
          • G
            gogol
            last edited by

            You are running version 2.0.3 of pfSense.
            There should be a directory /usr/local/etc/snort/your_snort_sensor and in that directory should be snort.conf
            I would like to see the contents of that file.

            Also would you do in the shell:

            snort -T -i your_pppoe_interface -c /usr/local/etc/snort/your_snort_sensor/snort.conf
            

            This is a test to run your configuration file. The last two lines should look like:

            Snort successfully validated the configuration!
            Snort exiting
            
            

            Or else you can look for irregularities.

            1 Reply Last reply Reply Quote 0
            • M
              Mr. Jingles
              last edited by

              Thank you very much for your reply, Gogol  :P

              I will do what you are asking for tomorrow: right now 'the guardians of my wife' (my dogs  ;D) are heavily complaining that I am not walking with them. And my wife is complaining that dinner will get cold. Sometimes I wonder: a life without wife and her guardians might be less stressful  ;D ;D ;D

              6 and a half billion people know that they are stupid, agressive, lower life forms.

              1 Reply Last reply Reply Quote 0
              • S
                Supermule Banned
                last edited by

                Always! :D

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  Does anyone else out there have Snort running on pfSense 2.0.x or higher with PPPoE on the interface?  I seem to recall some differences in the way 2.0.x and higher pfSense construct and use the PPPoE interface (markedly different from 1.2.x pfSense, if I recall correctly).  This might be the core of the problem the OP is having with Snort on a PPPoE interface.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • T
                    turker
                    last edited by

                    pfSense 2.0.3, Snort 2.9.4.1 pkg v. 2.5.7 Snort, PPPoE interface. Working properly. (of mine)

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @turker:

                      pfSense 2.0.3, Snort 2.9.4.1 pkg v. 2.5.7 Snort, PPPoE interface. Working properly. (of mine)

                      Thanks!  I guess that means Snort and PPPoE can be happy together on 2.0.x.  I had a working installation myself back on 1.2.3 some time back, but I had not tried it on 2.0.x.  Prior to my upgrade of pfSense I moved to a cable modem connection for home that uses DHCP on the WAN.  The OP's problem must lie elsewhere, then.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • M
                        Mr. Jingles
                        last edited by

                        @turker:

                        pfSense 2.0.3, Snort 2.9.4.1 pkg v. 2.5.7 Snort, PPPoE interface. Working properly. (of mine)

                        Thank you for this feedback, that is at least promissing  ;D

                        6 and a half billion people know that they are stupid, agressive, lower life forms.

                        1 Reply Last reply Reply Quote 0
                        • M
                          Mr. Jingles
                          last edited by

                          @gogol:

                          You are running version 2.0.3 of pfSense.
                          There should be a directory /usr/local/etc/snort/your_snort_sensor and in that directory should be snort.conf
                          I would like to see the contents of that file.

                          Also would you do in the shell:

                          snort -T -i your_pppoe_interface -c /usr/local/etc/snort/your_snort_sensor/snort.conf
                          

                          This is a test to run your configuration file. The last two lines should look like:

                          Snort successfully validated the configuration!
                          Snort exiting
                          
                          

                          Or else you can look for irregularities.

                          Again thank you, Gogol  ;D

                          I tried to find what you want to see. The "your_snort_sensor" invokes me to guess what you mean ( :P). I found two directories:

                          
                          /usr/local/etc/snort/snort_64222_em0/
                          /usr/local/etc/snort/snort_64222_pppoe0/
                          
                          

                          I take it these are the 'sensor directories', and you wanted to see the last directories snort.conf. I have attached it.

                          The test command did give an error, I have attached the output of that also.

                          Thank you again Gogol  ;D

                          snort.conf._pppoe.txt
                          testrun_log.txt

                          6 and a half billion people know that they are stupid, agressive, lower life forms.

                          1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks
                            last edited by

                            @Hollander:

                            I take it these are the 'sensor directories', and you wanted to see the last directories snort.conf. I have attached it.

                            The test command did give an error, I have attached the output of that also.

                            Thank you again Gogol  ;D

                            Here is your problem:

                            +++++++++++++++++++++++++++++++++++++++++++++++++++
                            Initializing rule chains...
                            ERROR: /usr/local/etc/snort/snort_64222_pppoe0/rules/snort.rules(1821) Unknown rule option: 'dce_iface'.
                            Fatal Error, Quitting..
                            [2.0.3-RELEASE][admin@pfsense.localdomain]/root(2):
                            
                            

                            This means you have no Preprocessors enabled, but you have enabled rules that need certain Preprocessors in order to function.  I made a post some time back that most users should enable pretty much all the Preprocessors to keep from shooting themselves in the foot.  You need to go to the Preprocessors tab in Snort and check all the boxes in the "General" section EXCEPT for "Sensitive Data". I suggest leaving that one disabled.

                            Another alternative on the same tab, but it reduces the effectiveness of Snort, is to check the box that says "Auto-Rule Disable" up near to top.  That will automatically disable rules that need Preprocessors you do not have enabled.  However, this automatic rule disabling can leave your systems less than adquately protected.  It's there, though, for situations like this where the user does not want to have to sort out which Preprocessors are required for certain rules.

                            Bill

                            1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks
                              last edited by

                              And while I am still on the Preprocessor soapbox –-  ;)

                              Be aware that you must be intimately familiar with all the Preprocessors and their rule dependencies if you try to pick and choose which ones to enable.  Also you must understand that on any given update of the Rules from Snort.org or Emerging Threats, formerly disabled rules could become enabled again and thus cause Snort not to restart following the update due to a Preprocessor dependency.

                              It's just better in my view, with today's higher-powered CPUs and firewalls with plenty of RAM, to just enable all the Preprocessors.  That way, they are ready for any rule that needs them, and you don't get these FATAL ERRORS on restart because of a disabled Preprocessor.  The only exception I make to this is the Sensitive Data preprocessor.  Some folks don't want all the noise it can generate, so they disable it.  The Snort package will, if the Sensitive Data Preprocessor is disabled, automatically take care of the handful of Preprocessor Rules associated with it.

                              Bill

                              1 Reply Last reply Reply Quote 0
                              • E
                                eri--
                                last edited by

                                Well snort can be patched to skip such rules also.
                                I am not sure why the snort guy made this a fatal error rather than a soft error.
                                Just skip the rule shouild be normal and warn the user about it!!!

                                Maybe it would be something to look at on patching snort wiht this.
                                Its better to have a warning and snort running rather than no snort at all and just some cryptic error.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Supermule Banned
                                  last edited by

                                  Exactly!

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks
                                    last edited by

                                    Well, I can sort of see the point from the Sourcefire guys' point of view.  The preprocessors are necessary for many, many rules to function properly.  If Snort just auto-magically ignored such potentially critical configuration errors, users would be blindly unaware that some portion of their rear end was hanging out there exposed… ;D (if you get my drift).  If Snort just started up, who among us will swear to always look at the log file just to see if there were any warnings? ... ;)

                                    My view is there is no harm in enabling all the preprocessors.  This way you don't get surprised.  In fact, with the latest update to the Snort Package, I made the default condition "enabled" for most of the preprocessors.  The exceptions were the port scan, sensitive data, and SCADA preprocessors.  Unless you run a really frugal box, I don't think there is much overhead in having the extra preprocessors enabled.

                                    What happened in the OP's case is that the new defaults I set only get used on a new Snort install with no previous saved settings.  I made sure the code respected any previous settings.  That can still bite folks who don't understand how Snort's rules engine and the preprocessors interact.

                                    If you want a taste of what could happen automatically behind your back with hidden auto-disable logic, run the following test.  Enable the Snort IPS-Security policy and then choose all the Emerging Threats Rules.  You can even throw in Snort GPLv2 if you want.  Make sure your box has at least 4 GB of RAM, though, before you try this test.  After selecting all these rules, go to the Preprocessors tab and uncheck all the preprocessors, click the Auto-Rule Disable checkbox, and then click Save to regenerate the enforcing rules file.  You should see the new View button appear where you can see the disabled rules.  Click that button and have a look at all the Alerts you would not see if Snort automatically ignored or fixed preprocessor dependency errors for you without telling you.

                                    The number from my test is 15,595 rules auto-disabled from the text rules, and then 50 of the required flowbit-dependent rules were also auto-disabled.  The vast majority of these were from the HTTP_INSPECT preprocessor being disabled, but there are still quite a few tied to the other preprocessors.  So the net result is 15,645 rules I thought I was using actually would get disabled behind my back if Snort did this by default.

                                    Bill

                                    1 Reply Last reply Reply Quote 1
                                    • G
                                      gogol
                                      last edited by

                                      @ermal:

                                      Well snort can be patched to skip such rules also.
                                      I am not sure why the snort guy made this a fatal error rather than a soft error.
                                      Just skip the rule shouild be normal and warn the user about it!!!

                                      Maybe it would be something to look at on patching snort wiht this.
                                      Its better to have a warning and snort running rather than no snort at all and just some cryptic error.

                                      But then people might think that Snort is protecting their system.
                                      I agree with Bill to enable by default most preprocessors. People can always disable them and you have to suppose that they know what they are doing. ;)

                                      Furthermore:

                                      Here is your problem:

                                      Code:
                                      +++++++++++++++++++++++++++++++++++++++++++++++++++
                                      Initializing rule chains…
                                      ERROR: /usr/local/etc/snort/snort_64222_pppoe0/rules/snort.rules(1821) Unknown rule option: 'dce_iface'.
                                      Fatal Error, Quitting..
                                      [2.0.3-RELEASE][admin@pfsense.localdomain]/root(2):

                                      Bill is soooooo fast!

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        Mr. Jingles
                                        last edited by

                                        @bmeeks:

                                        Here is your problem:

                                        +++++++++++++++++++++++++++++++++++++++++++++++++++
                                        Initializing rule chains...
                                        ERROR: /usr/local/etc/snort/snort_64222_pppoe0/rules/snort.rules(1821) Unknown rule option: 'dce_iface'.
                                        Fatal Error, Quitting..
                                        [2.0.3-RELEASE][admin@pfsense.localdomain]/root(2):
                                        
                                        

                                        This means you have no Preprocessors enabled, but you have enabled rules that need certain Preprocessors in order to function.  I made a post some time back that most users should enable pretty much all the Preprocessors to keep from shooting themselves in the foot.  You need to go to the Preprocessors tab in Snort and check all the boxes in the "General" section EXCEPT for "Sensitive Data". I suggest leaving that one disabled.

                                        Another alternative on the same tab, but it reduces the effectiveness of Snort, is to check the box that says "Auto-Rule Disable" up near to top.  That will automatically disable rules that need Preprocessors you do not have enabled.  However, this automatic rule disabling can leave your systems less than adquately protected.  It's there, though, for situations like this where the user does not want to have to sort out which Preprocessors are required for certain rules.

                                        Bill

                                        Thank you very, very, very much Bill; this appeared to be the problem; all is working well again. Thank you for helping me  ;D

                                        6 and a half billion people know that they are stupid, agressive, lower life forms.

                                        1 Reply Last reply Reply Quote 0
                                        • bmeeksB
                                          bmeeks
                                          last edited by

                                          @Hollander:

                                          Thank you very, very, very much Bill; this appeared to be the problem; all is working well again. Thank you for helping me  ;D

                                          You are welcome.  The next Snort package that comes out will have some better "default behaviors" baked in with regards to these pesky preprocessors – at least on new, green-field installs.  For users with saved Snort settings that already had preprocessors explicitly disabled, they will still need to turn them on manually.

                                          Bill

                                          1 Reply Last reply Reply Quote 0
                                          • B
                                            Boags
                                            last edited by

                                            Greetings, I hope you're all well. I registered to address that I have the same issue, however I don't use PPPoE and also have all the preprocessors ticked except the Sensitive Data box.

                                            The issue began after I re-installed the package to allow an update to 2.9.4.1 pkg v. 2.5.7

                                            The only logs coming through are:

                                            May 15 12:27:32 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
                                            May 15 12:27:37 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
                                            May 15 12:27:48 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
                                            May 15 12:27:52 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN …
                                            May 15 12:27:56 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN…
                                            May 15 12:28:07 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for LAN…

                                            I'm still a relatively novice user but I messed about with the settings to try and get Snort to run but haven't had any luck yet. I appreciate your suggestions. :)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.