PfSense 2.1.4 + Snort 2.9.6.2 pkg v3.1.1 + IPv6 /64 == snort is unable to start

chase

Configuration

• pfSense : 2.1.4
• Snort : 2.9.6.2 pkg v3.1.1
• Comcast assigned three IPv6 /64 to three internal interfaces that are "Tracking" the WAN IPv6 DHCPv6 request for an IPv6 /60.

Problem

Snort will not start due to a failure to parse the IP address for HOME_NET. Google searches suggest it is due to IPv6 addresses in HOME_NET.

Questions

• Is there a workaround and/or recommended correction for the FATAL ERROR (see Detail)?
• Why does snort add trusted DNS servers to HOME_NET, as opposed to creating a new variable to specifically track DNS behaviors explicitly by naming the DNS servers there?
• There are three interfaces on my pfSense firewall that are "Tracking" the WAN IPv6 DHCPv6 request for an IPv6 /60 delegation prefix.  Comcast is assigning of those internal interfaces an IPv6 /64 address space.    When IPv6 addresses get rotated, will snort automagically restart to pick up changed IPv6 address assignments for HOME_NET?

Detail:

carrollFW snort[82375]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2700_em5/snort.conf(5) Failed to parse the IP address: [10.10.10.0/24,10.10.25.0/24,10.10.26.0/24,75.75.75.75,75.75.76.76,98.240.248.1,98.240.251.121,127.0.0.1,192.168.25.0/24,192.168.26.0/24,216.146.35.35,216.146.36.36,2001:558:feed::1,2001:558:feed::2,2601:2:5a80:f63::/64,2601:2:5a80:f64::/64,2601:2:5a80:f65::/64,fe80::214:f1ff:fee8:e8e2,fe80::217:c5ff:fec2:8808%em5].

bmeeks

The fix for this has been submitted and is awaiting review and approval by the pfSense Core Team.  The request has been posted for 23 days as of today.  I sent a friendly reminder e-mail today asking the team for an estimate on when this will be merged.

Here is the active Pull Request:  https://github.com/pfsense/pfsense-packages/pull/692

The problem is the interface domain tagged onto the end of the Link-Local address.  That trips up Snort (and Suricata).  The coming fix strips that off when adding Link-Local addresses to HOME_NET and PASS LISTS.  There is really no workaround so long as you enable and use IPv6 on your interfaces.

Questions

• Is there a workaround and/or recommended correction for the FATAL ERROR (see Detail)?

• Why does snort add trusted DNS servers to HOME_NET, as opposed to creating a new variable to specifically track DNS behaviors explicitly by naming the DNS servers there?

• There are three interfaces on my pfSense firewall that are "Tracking" the WAN IPv6 DHCPv6 request for an IPv6 /60 delegation prefix.  Comcast is assigning of those internal interfaces an IPv6 /64 address space.    When IPv6 addresses get rotated, will snort automagically restart to pick up changed IPv6 address assignments for HOME_NET?

You can uncheck the box for including DNS servers in HOME_NET if you don't want them there.  You can instead add them via an Alias on the VARIABLES tab in Snort.  First create an alias under Firewall…Aliases containing your DNS server or servers, then put that alias name in the DNS Servers box on the VARIABLES tab.

No, there is not way for Snort to magically restart on its own if you get new IPv6 addresses.  However, there is some logic in pfSense that will restart packages when there is an IP change on the WAN.  That may trigger what you want.

Bill