Snort & PPPoE: Snort refuses to start(?)
-
@Hollander:
The killall instructions you gave return nothing:
[2.0.3-RELEASE][admin@pfsense.localdomain]/root(2): /usr/bin/killall snort No matching processes were found [2.0.3-RELEASE][admin@pfsense.localdomain]/root(3): ps -ax | grep snort [2.0.3-RELEASE][admin@pfsense.localdomain]/root(4):
I can press as many times 'start' (the green icon) as I want to, it stays green and also the dashboard service widget shows all packages running except for Snort; that is stopped, and starting it from that dashboard widget also doesn't make it run. Starting it from the shell:
[2.0.3-RELEASE][admin@pfsense.localdomain]/root(8): /usr/local/etc/rc.d/snort.sh start [2.0.3-RELEASE][admin@pfsense.localdomain]/root(9):
(I don't know what that means).
But in the GUI Snort is still stopped.
And for a slightly less stupid (but still not the brightest :-[) question: is there another Snort log I should look into (via the shell) in addition to the general system log in the GUI?
Thank you very much for any help ;D
[/quote]
I see from the posted snort.sh script that you are running Snort on a PPPoE interface. I've never done that. I know within pfSense that's a special kind of interface quite unlike the normal physical interfaces. Maybe some other users can chime in that may be running Snort successfully on a PPPoE connection. It could be that PPPoE and Snort don't like each other, but I don't know that for sure. I've just never encountered that configuration.
As for your second question relative to logs, there is really just the system log. You can see part of it in the GUI, or you can go to /var/log/system.log and see it all. Other than a separate rules update log, there is no separate log file for Snort (aside from the alerts log, but no system startup/error messages get printed there).
Bill
-
I see from the posted snort.sh script that you are running Snort on a PPPoE interface. I've never done that. I know within pfSense that's a special kind of interface quite unlike the normal physical interfaces. Maybe some other users can chime in that may be running Snort successfully on a PPPoE connection. It could be that PPPoE and Snort don't like each other, but I don't know that for sure. I've just never encountered that configuration.
Bill
Thank you very much for your reply, Bill ;D
I was sort of :o ??? about your remark about the PPPoE; I thought (but please forgive me, I am a noob) that everybody who is on ADSL/VDSL uses PPPoE? Is there another way?
Is there something else I should try/can try?
And, if I may, another question, just for me to try to understand then:
- Before my upgrades I was on 2.0.2, with the previous Snort, but also (due to a PPPoE-problem in 2.0.2) PFS-WAN got an internal IP (192.168.1.2) from the ISP modem/router (192.168.1.1), and the PFS-LAN was on another subnet.
- In that situation Snort was running (but wasn't really doing anything useful, as all it did (according to the snort-messages in the dashboard) was telling me about some sort of category-3 events between PFS-WAN and 192.168.1.1 (the ISP-modem/router)).
- So if I may ask: what was the 'type of connection' PFS-WAN -> ISP-modem/router there then? I mean: surely not the PPPoE which Snort might not like, but what then? And if other people don't use PPPoE but this kind of connection, Snort won't be useful then, will it? (given that it filters PFS-WAN <-> ISP modem/router which in my situation didn't show anything useful).
Thank you again Bill ;D
-
Could it be related to the fact that you use a private IP as WAN and then Snort doesnt see it because of the definition of home net??
Thank you for your reply :-)
No, that was the old situation in 2.0.2, where Snort was at least running. In the new situation, 2.0.3, the PPPoE dial up is fixed so the WAN is now directly the external IP from my ISP. And now Snort refuses to run.
-
You are running version 2.0.3 of pfSense.
There should be a directory /usr/local/etc/snort/your_snort_sensor and in that directory should be snort.conf
I would like to see the contents of that file.Also would you do in the shell:
snort -T -i your_pppoe_interface -c /usr/local/etc/snort/your_snort_sensor/snort.conf
This is a test to run your configuration file. The last two lines should look like:
Snort successfully validated the configuration! Snort exiting
Or else you can look for irregularities.
-
Thank you very much for your reply, Gogol :P
I will do what you are asking for tomorrow: right now 'the guardians of my wife' (my dogs ;D) are heavily complaining that I am not walking with them. And my wife is complaining that dinner will get cold. Sometimes I wonder: a life without wife and her guardians might be less stressful ;D ;D ;D
-
Always! :D
-
Does anyone else out there have Snort running on pfSense 2.0.x or higher with PPPoE on the interface? I seem to recall some differences in the way 2.0.x and higher pfSense construct and use the PPPoE interface (markedly different from 1.2.x pfSense, if I recall correctly). This might be the core of the problem the OP is having with Snort on a PPPoE interface.
Bill
-
pfSense 2.0.3, Snort 2.9.4.1 pkg v. 2.5.7 Snort, PPPoE interface. Working properly. (of mine)
-
pfSense 2.0.3, Snort 2.9.4.1 pkg v. 2.5.7 Snort, PPPoE interface. Working properly. (of mine)
Thanks! I guess that means Snort and PPPoE can be happy together on 2.0.x. I had a working installation myself back on 1.2.3 some time back, but I had not tried it on 2.0.x. Prior to my upgrade of pfSense I moved to a cable modem connection for home that uses DHCP on the WAN. The OP's problem must lie elsewhere, then.
Bill
-
pfSense 2.0.3, Snort 2.9.4.1 pkg v. 2.5.7 Snort, PPPoE interface. Working properly. (of mine)
Thank you for this feedback, that is at least promissing ;D
-
You are running version 2.0.3 of pfSense.
There should be a directory /usr/local/etc/snort/your_snort_sensor and in that directory should be snort.conf
I would like to see the contents of that file.Also would you do in the shell:
snort -T -i your_pppoe_interface -c /usr/local/etc/snort/your_snort_sensor/snort.conf
This is a test to run your configuration file. The last two lines should look like:
Snort successfully validated the configuration! Snort exiting
Or else you can look for irregularities.
Again thank you, Gogol ;D
I tried to find what you want to see. The "your_snort_sensor" invokes me to guess what you mean ( :P). I found two directories:
/usr/local/etc/snort/snort_64222_em0/ /usr/local/etc/snort/snort_64222_pppoe0/
I take it these are the 'sensor directories', and you wanted to see the last directories snort.conf. I have attached it.
The test command did give an error, I have attached the output of that also.
Thank you again Gogol ;D
-
@Hollander:
I take it these are the 'sensor directories', and you wanted to see the last directories snort.conf. I have attached it.
The test command did give an error, I have attached the output of that also.
Thank you again Gogol ;D
Here is your problem:
+++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: /usr/local/etc/snort/snort_64222_pppoe0/rules/snort.rules(1821) Unknown rule option: 'dce_iface'. Fatal Error, Quitting.. [2.0.3-RELEASE][admin@pfsense.localdomain]/root(2):
This means you have no Preprocessors enabled, but you have enabled rules that need certain Preprocessors in order to function. I made a post some time back that most users should enable pretty much all the Preprocessors to keep from shooting themselves in the foot. You need to go to the Preprocessors tab in Snort and check all the boxes in the "General" section EXCEPT for "Sensitive Data". I suggest leaving that one disabled.
Another alternative on the same tab, but it reduces the effectiveness of Snort, is to check the box that says "Auto-Rule Disable" up near to top. That will automatically disable rules that need Preprocessors you do not have enabled. However, this automatic rule disabling can leave your systems less than adquately protected. It's there, though, for situations like this where the user does not want to have to sort out which Preprocessors are required for certain rules.
Bill
-
And while I am still on the Preprocessor soapbox –- ;)
Be aware that you must be intimately familiar with all the Preprocessors and their rule dependencies if you try to pick and choose which ones to enable. Also you must understand that on any given update of the Rules from Snort.org or Emerging Threats, formerly disabled rules could become enabled again and thus cause Snort not to restart following the update due to a Preprocessor dependency.
It's just better in my view, with today's higher-powered CPUs and firewalls with plenty of RAM, to just enable all the Preprocessors. That way, they are ready for any rule that needs them, and you don't get these FATAL ERRORS on restart because of a disabled Preprocessor. The only exception I make to this is the Sensitive Data preprocessor. Some folks don't want all the noise it can generate, so they disable it. The Snort package will, if the Sensitive Data Preprocessor is disabled, automatically take care of the handful of Preprocessor Rules associated with it.
Bill
-
Well snort can be patched to skip such rules also.
I am not sure why the snort guy made this a fatal error rather than a soft error.
Just skip the rule shouild be normal and warn the user about it!!!Maybe it would be something to look at on patching snort wiht this.
Its better to have a warning and snort running rather than no snort at all and just some cryptic error. -
Exactly!
-
Well, I can sort of see the point from the Sourcefire guys' point of view. The preprocessors are necessary for many, many rules to function properly. If Snort just auto-magically ignored such potentially critical configuration errors, users would be blindly unaware that some portion of their rear end was hanging out there exposed… ;D (if you get my drift). If Snort just started up, who among us will swear to always look at the log file just to see if there were any warnings? ... ;)
My view is there is no harm in enabling all the preprocessors. This way you don't get surprised. In fact, with the latest update to the Snort Package, I made the default condition "enabled" for most of the preprocessors. The exceptions were the port scan, sensitive data, and SCADA preprocessors. Unless you run a really frugal box, I don't think there is much overhead in having the extra preprocessors enabled.
What happened in the OP's case is that the new defaults I set only get used on a new Snort install with no previous saved settings. I made sure the code respected any previous settings. That can still bite folks who don't understand how Snort's rules engine and the preprocessors interact.
If you want a taste of what could happen automatically behind your back with hidden auto-disable logic, run the following test. Enable the Snort IPS-Security policy and then choose all the Emerging Threats Rules. You can even throw in Snort GPLv2 if you want. Make sure your box has at least 4 GB of RAM, though, before you try this test. After selecting all these rules, go to the Preprocessors tab and uncheck all the preprocessors, click the Auto-Rule Disable checkbox, and then click Save to regenerate the enforcing rules file. You should see the new View button appear where you can see the disabled rules. Click that button and have a look at all the Alerts you would not see if Snort automatically ignored or fixed preprocessor dependency errors for you without telling you.
The number from my test is 15,595 rules auto-disabled from the text rules, and then 50 of the required flowbit-dependent rules were also auto-disabled. The vast majority of these were from the HTTP_INSPECT preprocessor being disabled, but there are still quite a few tied to the other preprocessors. So the net result is 15,645 rules I thought I was using actually would get disabled behind my back if Snort did this by default.
Bill
-
@ermal:
Well snort can be patched to skip such rules also.
I am not sure why the snort guy made this a fatal error rather than a soft error.
Just skip the rule shouild be normal and warn the user about it!!!Maybe it would be something to look at on patching snort wiht this.
Its better to have a warning and snort running rather than no snort at all and just some cryptic error.But then people might think that Snort is protecting their system.
I agree with Bill to enable by default most preprocessors. People can always disable them and you have to suppose that they know what they are doing. ;)Furthermore:
Here is your problem:
Code:
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains…
ERROR: /usr/local/etc/snort/snort_64222_pppoe0/rules/snort.rules(1821) Unknown rule option: 'dce_iface'.
Fatal Error, Quitting..
[2.0.3-RELEASE][admin@pfsense.localdomain]/root(2):Bill is soooooo fast!
-
Here is your problem:
+++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: /usr/local/etc/snort/snort_64222_pppoe0/rules/snort.rules(1821) Unknown rule option: 'dce_iface'. Fatal Error, Quitting.. [2.0.3-RELEASE][admin@pfsense.localdomain]/root(2):
This means you have no Preprocessors enabled, but you have enabled rules that need certain Preprocessors in order to function. I made a post some time back that most users should enable pretty much all the Preprocessors to keep from shooting themselves in the foot. You need to go to the Preprocessors tab in Snort and check all the boxes in the "General" section EXCEPT for "Sensitive Data". I suggest leaving that one disabled.
Another alternative on the same tab, but it reduces the effectiveness of Snort, is to check the box that says "Auto-Rule Disable" up near to top. That will automatically disable rules that need Preprocessors you do not have enabled. However, this automatic rule disabling can leave your systems less than adquately protected. It's there, though, for situations like this where the user does not want to have to sort out which Preprocessors are required for certain rules.
Bill
Thank you very, very, very much Bill; this appeared to be the problem; all is working well again. Thank you for helping me ;D
-
@Hollander:
Thank you very, very, very much Bill; this appeared to be the problem; all is working well again. Thank you for helping me ;D
You are welcome. The next Snort package that comes out will have some better "default behaviors" baked in with regards to these pesky preprocessors – at least on new, green-field installs. For users with saved Snort settings that already had preprocessors explicitly disabled, they will still need to turn them on manually.
Bill
-
Greetings, I hope you're all well. I registered to address that I have the same issue, however I don't use PPPoE and also have all the preprocessors ticked except the Sensitive Data box.
The issue began after I re-installed the package to allow an update to 2.9.4.1 pkg v. 2.5.7
The only logs coming through are:
May 15 12:27:32 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
May 15 12:27:37 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
May 15 12:27:48 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
May 15 12:27:52 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN …
May 15 12:27:56 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN…
May 15 12:28:07 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for LAN…I'm still a relatively novice user but I messed about with the settings to try and get Snort to run but haven't had any luck yet. I appreciate your suggestions. :)