Snort service wont start

Cry Havok

Have you checked the system logs to see if Snort is reporting any error?

Albert Hall

Snort won't start here either. I have the following system log entry:

snort[1507]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_25347_em1/snort.conf(6) Failed to parse the IP address: [8.8.8.8,75.75.75.75,75.75.76.76,127.0.0.1,192.168.0.1,192.168.0.100,192.168.1.0/24,(IPv6 address omitted for security)].

These addresses represent DNS servers and the WAN side of the firewall (behind a router).

I tried adding those addresses to the Whitelist in Snort.

Cry Havok

The short answer is that you have an error in that entry, probably in the IPv6 address. Try removing the IPv6 address and see if that solves the problem.

If it does then either you had a typo, or IPv6 isn't supported in the version of Snort you're using. What version of pfSense and Snort are you using?

Albert Hall

pfSense 2.1-RELEASE (amd64)
built on Wed Sep 11 18:17:48 EDT 2013
Snort  2.9.4.6 pkg v. 2.6.0

Albert Hall

@Cry:

The short answer is that you have an error in that entry, probably in the IPv6 address. Try removing the IPv6 address and see if that solves the problem.

If it does then either you had a typo, or IPv6 isn't supported in the version of Snort you're using. What version of pfSense and Snort are you using?

The firewall should be using DHCP.

Cry Havok

Are you saying that the IPv6 address was automatically added to the configuration, or did you add it yourself?

Albert Hall

I removed the check on DHCPv6 on the WAN interface, Snort started. Does Barnyard 2 have to run also?

bmeeks

@Albert:

I removed the check on DHCPv6 on the WAN interface, Snort started. Does Barnyard 2 have to run also?

No, Barnyard2 is not required unless you want to send Snort alerts to a remote database such as Snorby or other tools.

Bill

LawrenceIII

I can't start snort either.  I have the following in my system log.

snort[60940]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_17037_em0/snort.conf(7) !any is not allowed in EXTERNAL_NET.
SnortStartup[60790]: Snort START for WAN(17037_em0)…

I have a simple setup at home.  1 Wan, 1 LAN, no Vlans. I'm a n00b at this, and learning as I go.
Snort 2.9.4.6 pkg v. 2.6.0
Only rules running are  running the IPS Policy 'Connectivity'
I was presuming that error was from a rule, so I tried starting snort w/no rules enabled, but get the same error above.
In the WAN Preprocessors Section, everything is default, and have all preprocessors enabled except the 'enable sensitive data'

Any advice?  Thanks in advance,

Lawrence

bmeeks

@LawrenceIII:

I can't start snort either.  I have the following in my system log.

snort[60940]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_17037_em0/snort.conf(7) !any is not allowed in EXTERNAL_NET.
SnortStartup[60790]: Snort START for WAN(17037_em0)…

I have a simple setup at home.  1 Wan, 1 LAN, no Vlans. I'm a n00b at this, and learning as I go.
Snort 2.9.4.6 pkg v. 2.6.0
Only rules running are  running the IPS Policy 'Connectivity'
I was presuming that error was from a rule, so I tried starting snort w/no rules enabled, but get the same error above.
In the WAN Preprocessors Section, everything is default, and have all preprocessors enabled except the 'enable sensitive data'

Any advice?  Thanks in advance,

Lawrence

Something seems seriously wrong with your snort.conf file based on that error message.  Can you get a copy of that file and post it?  The path is in the error message you posted –

/usr/pbi/snort-amd64/etc/snort/snort_17037_em0/snort.conf

Bill

LawrenceIII

Hi bmeeks!  Thanks for your reply!  i've attached the config output.  I have reinstalled the package a few times, and rebooted each time, but get the same error. 
Thanks again! Lawrence

[snort config.txt](/public/imported_attachments/1/snort config.txt)

bmeeks

@LawrenceIII:

Hi bmeeks!  Thanks for your reply!  i've attached the config output.  I have reinstalled the package a few times, and rebooted each time, but get the same error. 
Thanks again! Lawrence

I see the problem.  How did this value (0.0.0.0)  get in the HOME_NET variable?  It is causing the problem.  It means "any network", so in the definition of EXTERNAL_NET, which is by default "not HOME_NET", that translates to !any which is invalid and hence the error is thrown.  The 0.0.0.0 value in HOME_NET should not be there.

Just guessing by the fact it is adjacent to the addresses for that pair of Level 3 DNS servers, could this by chance be a typo in a third DNS server's IP address?  Your DNS servers, by default, are added to the HOME_NET variable.

# Define Local Network #
var HOME_NET [0.0.0.0,4.2.2.2,4.2.2.3,10.0.1.0/24,96.X.X.X,96.X.X.X,127.0.0.1,208.67.222.222]
var EXTERNAL_NET [!$HOME_NET]

Bill

LawrenceIII

hey Bill, that was it!  you were correct about the 0.0.0.0, and also the wrong DNS IP (that was a typo)  :-[
i remember putting in that 0.0.0.0 one day, and forgot all about  it.
Thank you so much for straightening me out, that was driving me crazy for weeks.

Lawrence

bmeeks

@LawrenceIII:

hey Bill, that was it!  you were correct about the 0.0.0.0, and also the wrong DNS IP (that was a typo)  :-[
i remember putting in that 0.0.0.0 one day, and forgot all about  it.
Thank you so much for straightening me out, that was driving me crazy for weeks.

Lawrence
[/quote]

You're welcome.  Glad you are up and running.

Bill