Snort not working on 2.1 RC0
-
Just updated one of my 2.1-BETA snapshot VMs to 2.1RC0. WAN IP is via DHCP and Snort is running with the "IPS Connectivity" policy configured. So far no issues noticed, but I will keep it running. Snort is running and blocking. Notice in the screenshot of the main page that I have the Snort Dashboard Widget enabled and it is showing an Alert and block on a current event (5/31/2013). Again, this is VMware Workstation and pfSense is using the e1000 NIC driver. Don't know if that is your issue or not. Could also be a library issue. What other packages do you have installed?
Here are screenshots of the main page and the Snort config –
-
bmeeks, thank you so much. I'll try a different NIC card (therefore a different driver) to see if I can get it to work. I'll try to run it in a virtual machine too. I have no other packages installed other than Snort. It was a very minimal install and I was using a very common Intel 10/100 NIC card. That's why I was so puzzled about it.
-
bmeeks, thank you so much. I'll try a different NIC card (therefore a different driver) to see if I can get it to work. I'll try to run it in a virtual machine too. I have no other packages installed other than Snort. It was a very minimal install and I was using a very common Intel 10/100 NIC card. That's why I was so puzzled about it.
There are a few other posts in the RC0 Snapshot thread about flakiness with WAN interfaces, but none of them mention Snort.
Bill
-
Ok, I think I have gotten to the bottom of this issue with Snort. As you have suggested, it is a NIC driver issue. I have tested a few other NIC cards as the WAN interface. Here's the finding
pfSense 2.1 RC0 (i386) May 30 Built with Snort 2.9.4.1 v 2.5.8
Non-working NIC - Intel 729757-005, 721383-008 using fxp0 driver
Working NIC - Netgear FA311 (NatSemi chip) using sis0, on-board Realtek NIC using re0pfsense 2.03 with Snort 2.9.4.1 v 2.5.8
All 4 NIC worksI have also tried pfsense 2.1 RC0 amd64. Same problem with the Intel NIC cards.
So the problem is the combination of pfSense 2.1 RC0, Snort 2.9.4.1 and the Intel NIC driver. I hope someone would take a look at this.
Bill, thanks for your assistance in finding out this problem.
-
I found another NIC card in my junk box. It is a SMC 9452TX based on the Marvell 88E8803 chipset. It also works with pfSense 2.1 RC0 and Snort. It looks like all the NIC cards that I have, only the Intel one's are not working. I guess it was my luck to pick the Intel NIC to use with pfSense 2.1 and Snort.
-
I found another NIC card in my junk box. It is a SMC 9452TX based on the Marvell 88E8803 chipset. It also works with pfSense 2.1 RC0 and Snort. It looks like all the NIC cards that I have, only the Intel one's are not working. I guess it was my luck to pick the Intel NIC to use with pfSense 2.1 and Snort.
Glad you found the problem, but it is surprising the Intel NIC driver has issues. They are usually pretty stable. I can't imagine what Snort does to it unless it is the switch to promiscuous mode that triggers the problem. Snort does do that (switch the NIC to promiscuous mode, that is) at startup.
Bill
-
I found another NIC card in my junk box. It is a SMC 9452TX based on the Marvell 88E8803 chipset. It also works with pfSense 2.1 RC0 and Snort. It looks like all the NIC cards that I have, only the Intel one's are not working. I guess it was my luck to pick the Intel NIC to use with pfSense 2.1 and Snort.
Glad you found the problem, but it is surprising the Intel NIC driver has issues. They are usually pretty stable. I can't imagine what Snort does to it unless it is the switch to promiscuous mode that triggers the problem. Snort does do that (switch the NIC to promiscuous mode, that is) at startup.
Bill
Having the same Problem since 2.1RC0 update. Worked without any Problems on 2.0.3 before.
PFsense runs on an VMWare Machine with em Network drivers.
I think I remembered a "promiscous mode" switch on the VMWare config. Perhaps this is the problem. I'll try it later…. -
From a security stand point, you shouldnt run Promiscious mode on the Vswitch under any circumstance what so ever!
-
I know. Therefore I had switched promiscous mode off ;D
This is a vmware installation for testing. I want to have a running pfsense installation with snort, so we have to hunt down the bug somehow. And promiscous mode seems to be a hint at first. -
I know. Therefore I had switched promiscous mode off ;D
This is a vmware installation for testing. I want to have a running pfsense installation with snort, so we have to hunt down the bug somehow. And promiscous mode seems to be a hint at first.There is absolutely no difference at all in the Snort package between 2.0.3 and 2.1. Any changes are within the 2.1 core code of pfSense itself. I do know since 2.1 is based on FreeBSD 8.3 instead of 8.1 that some drivers are different or updated in 2.1.
Now another user having a "flapping WAN IP problem" where the interface kept coming up and down discovered it was actually a whitelist/Spoink issue. He did not have his WAN IP ticked and included in the whitelist being used on the WAN interface, so any alerts were causing his WAN IP to get get blocked. This kicked off the process of "WAN IP changed". That's possibly due to gateway monitoring, but that's just a guess.
Anyway, ticking the box for "WAN IP" in the whitelist fixed his problem. This area of Snort did change a tad from 2.5.7 to 2.5.8. Formerly, 2.5.7 and earlier packages would automatically whitelist the entire WAN subnet. This was not a good idea! So in 2.5.8 this was changed so Snort only automatically whitelists the WAN IP and the default gateway, but you still have to tick the checkboxes on the whitelist (if you make a custom one). If you leave the whitelist set for "default", then the WAN IP, default gateway, VPN IPs, and any Virtual IPs are automatically included.
Bill
-
Just did an update to the current RC0 snapshot and deinstalled snort and installed it again.
The config still remained on my pfsense.But now it seems to work again. WAN is up for over 30 Minutes now, already blocked several attackers.
So seems ok for me again.P.S.: I didn't changed any VMWare settings up to now.
-
Just did an update to the current RC0 snapshot and deinstalled snort and installed it again.
The config still remained on my pfsense.But now it seems to work again. WAN is up for over 30 Minutes now, already blocked several attackers.
So seems ok for me again.P.S.: I didn't changed any VMWare settings up to now.
Some things changed in the latest snapshot of the RC0 release. I have not investigated what changed, but I did notice my test 2.1RC0 box was prompting me about an update.
Bill
