• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort Fatal Error

IDS/IPS
3
5
1.9k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sparkynerd
    last edited by Mar 22, 2015, 2:23 PM Mar 15, 2015, 11:48 PM

    I just setup Snort on 2.2 and I get the following error in the logs when I try to start it:

    php-fpm[84074]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-i386/bin/snort -R 45986 -D -q –suppress-config-log -l /var/log/snort/snort_fxp045986 --pid-path /var/run --nolock-pidfile -G 45986 -c /usr/pbi/snort-i386/etc/snort/snort_45986_fxp0/snort.conf -i fxp0' returned exit code '1', the output was ''
    snort[77151]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_45986_fxp0/snort.conf(6) !any is not allowed in EXTERNAL_NET
    php-fpm[84074]: /snort/snort_interfaces.php: [Snort] Snort START for WAN_PORT_5(fxp0)…

    Any ideas what I can check here? Below is the first part of snort.conf:

    Edit: Conf file exert removed at Sparkynerd's request.

    1 Reply Last reply Reply Quote 0
    • F
      fragged
      last edited by Mar 16, 2015, 5:36 AM

      "::" probably shouldn't be on either list?

      1 Reply Last reply Reply Quote 0
      • B
        bmeeks
        last edited by Mar 16, 2015, 11:55 PM

        @fragged is correct.  That "::" address is an invalid and empty IPv6 address.  What kinds of interfaces do you have Snort running on?  I mean, for example, do you have VLANs, something strange on the WAN other than standard DHCP or static addressing, etc.  We need to figure out where that bogus "::" address is coming from.  It is being picked up by Snort from some defined interface in the configuration.

        Bill

        1 Reply Last reply Reply Quote 0
        • S
          sparkynerd
          last edited by Mar 19, 2015, 9:14 PM

          Thanks for the help! To answer your questions:

          What kinds of interfaces do you have Snort running on?

          ~ Snort is currently running only on the WAN port (fxp0)

          do you have VLANs

          ~ I do have (2) VLANs {VLAN2 - opt4 - em3, VLAN3 - opt5 - em3}. Both are assigned to the LAN port (opt2 - em3) of this device.

          something strange on the WAN other than standard DHCP or static addressing, etc

          ~ WAN port is standard setup, DHCP, nothing special. IPV6 is also setup as DHCP, but I dont use IPV6. Should this be disabled?

          The (2) VLANs on opt2 are connected to a managed switch with the same (2) VLANs, and there is a wireless access point also connected to this managed switch with those same (2) VLANs.

          To ask a noob question, what would happen if I remove the :: from the config file? Also, what do the "!" signify in the config file / external net section? It seems strange that the error is "FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_45986_fxp0/snort.conf(6) !any is not allowed in EXTERNAL_NET"

          1 Reply Last reply Reply Quote 0
          • S
            sparkynerd
            last edited by Mar 19, 2015, 9:53 PM

            You guys are GENIUS! Just to take a chance, I disabled IPV6 on my WAN, rebooted, and ba-bam! It's working now! Thanks!  ;D

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.