Snort won't start, or will it.
-
So I was read somewhere that IPv6 is not supported in snort, I was running IPv6 on a couple interfaces, although Snort was not monitoring them.
I changed all interfaces over to IPv4 and re-installed the Snort package. It works now.
It looks as though if I run IPv6 on ANY interface, Snort will not run, I found this odd because as I said, the interfaces that were running IPv6 were not being monitored by snort.
Is this normal? I could swear that I had been running IPv6 on these interfaces (VLAN Trunks) for some time with no trouble, Snort only looks at my WAN.
Snort works with IPv6 and can block IPv6 as well. I have it working on my home firewall just fine. It's Barnyard2 that does not support writing IPv6 to MySQL databases, so there can be issues with that.
Bill
-
So I was read somewhere that IPv6 is not supported in snort, I was running IPv6 on a couple interfaces, although Snort was not monitoring them.
I changed all interfaces over to IPv4 and re-installed the Snort package. It works now.
It looks as though if I run IPv6 on ANY interface, Snort will not run, I found this odd because as I said, the interfaces that were running IPv6 were not being monitored by snort.
Is this normal? I could swear that I had been running IPv6 on these interfaces (VLAN Trunks) for some time with no trouble, Snort only looks at my WAN.
Snort works with IPv6 and can block IPv6 as well. I have it working on my home firewall just fine. It's Barnyard2 that does not support writing IPv6 to MySQL databases, so there can be issues with that.
Bill
Well that certainly muddies thing up a bit more, I don't run Barnyard2 at all, but I did enable it and do a quick set up on it today. Whenever I setup any interface to run IPv6, Snort stops working, it then takes changing back any and all interfaces to IPv4, and a un-install and re-install of Snort to get it working again, color me confused.
-
So I was read somewhere that IPv6 is not supported in snort, I was running IPv6 on a couple interfaces, although Snort was not monitoring them.
I changed all interfaces over to IPv4 and re-installed the Snort package. It works now.
It looks as though if I run IPv6 on ANY interface, Snort will not run, I found this odd because as I said, the interfaces that were running IPv6 were not being monitored by snort.
Is this normal? I could swear that I had been running IPv6 on these interfaces (VLAN Trunks) for some time with no trouble, Snort only looks at my WAN.
Snort works with IPv6 and can block IPv6 as well. I have it working on my home firewall just fine. It's Barnyard2 that does not support writing IPv6 to MySQL databases, so there can be issues with that.
Bill
Well that certainly muddies thing up a bit more, I don't run Barnyard2 at all, but I did enable it and do a quick set up on it today. Whenever I setup any interface to run IPv6, Snort stops working, it then takes changing back any and all interfaces to IPv4, and a un-install and re-install of Snort to get it working again, color me confused.
I use a Hurricane Electric IPv6 tunnel broker account and have an IPv6 network on my LAN (and via the tunnel on my WAN). I have not seen any issues other than Barnyard2 won't log IPv6 addresses to the MySQL database (I use Snorby to accept data from Barnyard2).
Bill
-
edit missread - the above post - its not an ipv6 issue.
-
System –> Advanced --> Networking --> "allow ipv6" (uncheck this...turn it off).
Soon as I did that snort started working. Wow ... There should be prerequisite checker in pfsense (or even a warning on the package) that discloses this.
Ugh?! There is no such prerequisite like IPv6 "disabled". (All that it does is block all IPv6 traffic in packet filter anyway, as written in the GUI.) It's even discussed above (some year ago before your necropost).
-
^and turning it off didn't solve the problem. Still having issues w/ rebooting the firewall and the service not starting back up.
-
Anybody having this issue also have suricata installed and enabled on the wan interface?
-
^and turning it off didn't solve the problem. Still having issues w/ rebooting the firewall and the service not starting back up.
What do you mean exactly? How are you checking this? This is now started in backgroundl since it takes long to start, depending on HW and configuration.
-
I think I figured out how to fix the bug. Go into "snort interfaces" and then "wan categories"
Turn off all the categories, then turn any one of them on (just one)….and save it. Then if you go back into "snort interfaces" it will say the WAN is enabled. After that, go back into the "wan categories and turn on either all or whatever ones you want one, and it will stay enabled.
-
I had this issue with pfSesne 2.4.2 and had no luck fixing the issue with any of the suggestions. Though I do think I have now found out why the WAN interface went down.
As I had set up Snort previously, access to checkip.dyndns.org was noted in the Alerts tab. Enabling a suppression list for the following IP addresses seems to have corrected my connection issues.suppress gen_id 1, sig_id 2014932, track by_src, ip 91.198.22.70
suppress gen_id 1, sig_id 2014932, track by_src, ip 216.146.38.70
suppress gen_id 1, sig_id 2014932, track by_src, ip 216.146.43.70
suppress gen_id 1, sig_id 2014932, track by_src, ip 216.146.43.71
