Snort Block Offenders kills interface.
-
Hi Guys,
I am working with snort and for some reason when I enable the block offenders option on an interface it kills the interface. I have all the default options.
Without block offenders selected I can stop and start the interface (red and white x to green and white start button) but as soon as I click the block offenders option i can no longer start the interface (stuck on the red and white x).
Thanks
James
-
Check your system log to see why Snort fails to start.
-
would that be /var/log/system.log? I did check it out and have not seen any errors. The interface seems to come up and down but the red and white x remains. Also when I create a rule it doesn't work for the interface unless I remove the block offenders option and then the rule and the interface run fine.
-
would that be /var/log/system.log? I did check it out and have not seen any errors. The interface seems to come up and down but the red and white x remains. Also when I create a rule it doesn't work for the interface unless I remove the block offenders option and then the rule and the interface run fine.
Look under Status…System Logs. You may need to click the Settings tab once that page is displayed and tick the box to show newest events first (that is, show events in reverse order) and expand the number of entries displayed to like 250 or more.
Now go back and try to start Snort with blocking enabled. You should get an error message of some type in the system log. My first thought is perhaps your system is missing the <snort2c>table. That has happened to folks who have used the Traffic Shaper. It seems to delete the <snort2c>system table that Snort needs for blocking – or at least it was doing that a while back.
Bill</snort2c></snort2c>
