Snort wont start
-
Hi all!
All of the sudden I get this error when I try to start snort:Aug 1 12:45:15 php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 10837 -D -q -l /var/log/snort/snort_em210837 –pid-path /var/run --nolock-pidfile -G 10837 -c /usr/pbi/snort-i386/etc/snort/snort_10837_em2/snort.conf -i em2' returned exit code '1', the output was ''
Aug 1 12:45:15 snort[73626]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_10837_em2/snort.conf(5) Failed to parse the IP address: [/,8.8.4.4,8.8.8.8,10.10.0.0/24,10.15.20.0/24,85.10.XX.X,85.10.XX.XX,92.37.XX.XX/32,127.0.0.1,172.16.16.0/24,192.168.100.0/24,212.18.XX.XX,212.18.XX.XX,2001:15c2:XXX:XXX::/64,2001:15c2:XXX:XXX::/64,2001:15c2:XXX:XXX::/64].
Any idea what went wrong?
I use latest package. -
Can you try and disable IPv6 on the FW and restart the package?
So HOMEnet in Snort only contain IPv4 addresses…
-
Maybe its an issue with the "Pass Lists"
First create an "Alias" in the Firewall Tab and add the IPs there.
Or you have an issue in the Snort Interface "Define Server (IP Variables)" section?
-
lol reboot fixed it
machine was up 33 days.
lol windows syndrome -
Hi all!
All of the sudden I get this error when I try to start snort:Aug 1 12:45:15 php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 10837 -D -q -l /var/log/snort/snort_em210837 –pid-path /var/run --nolock-pidfile -G 10837 -c /usr/pbi/snort-i386/etc/snort/snort_10837_em2/snort.conf -i em2' returned exit code '1', the output was ''
Aug 1 12:45:15 snort[73626]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_10837_em2/snort.conf(5) Failed to parse the IP address: [/,8.8.4.4,8.8.8.8,10.10.0.0/24,10.15.20.0/24,85.10.XX.X,85.10.XX.XX,92.37.XX.XX/32,127.0.0.1,172.16.16.0/24,192.168.100.0/24,212.18.XX.XX,212.18.XX.XX,2001:15c2:XXX:XXX::/64,2001:15c2:XXX:XXX::/64,2001:15c2:XXX:XXX::/64].
Any idea what went wrong?
I use latest package.That leading forward slash in the HOME_NET variable is the problem. Don't know what IP should be there, but it did not get there. I see that a reboot fixed the issue for you, though.
Bill
-
Yeah I know it was because of that slash :)
I downed/upped ifaces but it was still there :) -
Heh…
Same thing again on 2.2
If I reboot, all is OK.
Is it possible to mod the package to omit this "/" thing in IP address list?Regards,
Mav -
Heh…
Same thing again on 2.2
If I reboot, all is OK.
Is it possible to mod the package to omit this "/" thing in IP address list?Regards,
MavWould need to first know where it is coming from. When you look at it during the "broken time", note where the slash is located. Then after a reboot when it is working, note what IP address is located where the slash was. Tell me what interface or function the IP address is associated with. It's like maybe something is returning a null IP and subnet, but when the firewall is rebooted a valid IP and subnet is then returned.
Bill
-
Yeah I looked at that…
instead of slash there is nothing after reboot.
I comapred both listts before and after reboot and slash was added there... After reboot slash is gone.... -
Yeah I looked at that…
instead of slash there is nothing after reboot.
I comapred both listts before and after reboot and slash was added there... After reboot slash is gone....That limits my troubleshooting. It would be helpful to have an idea what IP address is not there. I can add some checks for empty strings and make sure they are not added to a PASS LIST or to HOME_NET. I will put that on my bug list for a future update.
Bill
-
Thanks much appreciated.
This actually happens on 2 of my systems, both latest 2.2 release and both latest snort packages… -
Thanks much appreciated.
This actually happens on 2 of my systems, both latest 2.2 release and both latest snort packages…I had a flash of inspiration. Check that you don't perhaps have an Alias defined someplace in a PASS LIST that initially evaluates to an empty string.
Bill
-
Huh I only have 1 alias used in passlist and this one if full of IPs :)
-
I see some locations in the code of the function that generates the PASS LIST and HOME_NET variables where an empty string returned for an IP address and subnet bit length could result in simply a slash ( "/" ) getting written to the variable. I will add some extra validation code in that function for the next release.
This is apparently a rare thing, and something in setup appears to be exposing it.
Bill
-
I posted a Pull Request today that adds some additional validation checks on IP addresses and subnets when creating the HOME_NET and PASS LIST values for Snort. Hopefully this corrects the issue with only a single forward slash ( "/" ) getting into HOME_NET and/or PASS LISTS.
Here is a link to the Pull Request: https://github.com/pfsense/pfsense-packages/pull/805
Bill
