Help plz - problem with snort

swetag

I have a new, freshly installed pfsense on its own dedicated hardware, no VM here ;)
So far i like it, but i cant get Snort to function correctly.

This is what System Logs say:
snort 8112 FATAL ERROR: /usr/local/etc/snort/snort_18474_igb0/snort.conf(6) !any is not allowed in EXTERNAL_NET.
php-fpm 5567 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 18474 -D -q –suppress-config-log -l /var/log/snort/snort_igb018474 --pid-path /var/run --nolock-pidfile -G 18474 -c /usr/local/etc/snort/snort_18474_igb0/snort.conf -i igb0' returned exit code '1', the output was ''

I have reinstalled snort, disable rules and reenabled them, reboot pfsense, looked att guides and tutorials and followed step by step but nothing seems to fix this.

Any idea?

johnpoz

So what version of pfsense are you running for starters?  pretty sure click install package and its up and running..  So your saying you get that error before doing any config?  Or what is your config your trying to do?

This seems like a major sort of issue

!any is not allowed in EXTERNAL_NET.

bmeeks

Did you try to configure the $EXTERNAL_NET variable yourself perhaps?  Snort is saying the value of "!any" is invalid (and it is).  Typically EXTERNAL_NET is defined as "!HOME_NET" (meaning all addresses not explicitly defined as HOME_NET are assumed to be external and thus in EXTERNAL_NET).  In Snort, HOME_NET represents networks to be protected (and usually, but not always, trusted).  EXTERNAL_NET usually represents the bad guys (as in the Internet).

As @johnpoz asked, it would be helpful to know the version of Snort package and pfSense that you are using.

Bill

swetag

@bmeeks:

Did you try to configure the $EXTERNAL_NET variable yourself perhaps?  Snort is saying the value of "!any" is invalid (and it is).  Typically EXTERNAL_NET is defined as "!HOME_NET" (meaning all addresses not explicitly defined as HOME_NET are assumed to be external and thus in EXTERNAL_NET).  In Snort, HOME_NET represents networks to be protected (and usually, but not always, trusted).  EXTERNAL_NET usually represents the bad guys (as in the Internet).

As @johnpoz asked, it would be helpful to know the version of Snort package and pfSense that you are using.

Bill

I have not configured external_net, or anything else yet, its all default values.
why is !any invalid? dont i want my IPs to be trusted and the rest (!home_net in other words) to be untrusted?

The versions that i use is the lastest according to pfsense: Snort 3.2.9.1_14

When i look in the Snort interface/settings/network. The "home_net" default list contains the IP of the subnet, wan, router and dns.
But when i look in the "external_net" default list it contains the same IPs as the "home_net" with "!" infront of them.

Any idee how i go from here?

bmeeks

!any is invalid for EXTERNAL_NET.  The default settings for HOME_NET and EXTERNAL_NET are correct for almost every application.  The "any" keyword is most often used to indicate "all ports", but can also mean "all addresses".

HOME_NET, by default, will be configured by the Snort package to include your LAN address block along with any other locally attached networks (LAN1, LAN2, etc., if  you have multiple local networks).  It will also include your DNS servers and the WAN gateway.  Finally, it will include the specific external IP (the WAN IP) of the firewall.

EXTERNAL_NET is then everything else (meaning every address not specified in HOME_NET), so the parameter !HOME_NET accomplishes this.  The exclamation point symbol is the NOT or negate symbol, so putting it in front of HOME_NET tells Snort to assume any IP address not a part of HOME_NET is External.

You can change these defaults by creating a custom Pass List and then assigning the name of that custom Pass List as the HOME_NET or EXTERNAL_NET parameter.  Once you create a Pass List, it will show up as a selection in the drop-down box for HOME_NET or EXTERNAL_NET on the INTERFACE SETTINGS tab.

Bill

swetag

@bmeeks:

!any is invalid for EXTERNAL_NET.  The default settings for HOME_NET and EXTERNAL_NET are correct for almost every application.  The "any" keyword is most often used to indicate "all ports", but can also mean "all addresses".

HOME_NET, by default, will be configured by the Snort package to include your LAN address block along with any other locally attached networks (LAN1, LAN2, etc., if  you have multiple local networks).  It will also include your DNS servers and the WAN gateway.  Finally, it will include the specific external IP (the WAN IP) of the firewall.

EXTERNAL_NET is then everything else (meaning every address not specified in HOME_NET), so the parameter !HOME_NET accomplishes this.  The exclamation point symbol is the NOT or negate symbol, so putting it in front of HOME_NET tells Snort to assume any IP address not a part of HOME_NET is External.

You can change these defaults by creating a custom Pass List and then assigning the name of that custom Pass List as the HOME_NET or EXTERNAL_NET parameter.  Once you create a Pass List, it will show up as a selection in the drop-down box for HOME_NET or EXTERNAL_NET on the INTERFACE SETTINGS tab.

Bill

I get what you mean, but it doesnt work.
External_net and home_net is their default values but I still get the "!any is not allowed in EXTERNAL_NET."

Is creating a passlist the only option for me?

bmeeks

@swetag:

@bmeeks:

!any is invalid for EXTERNAL_NET.  The default settings for HOME_NET and EXTERNAL_NET are correct for almost every application.  The "any" keyword is most often used to indicate "all ports", but can also mean "all addresses".

HOME_NET, by default, will be configured by the Snort package to include your LAN address block along with any other locally attached networks (LAN1, LAN2, etc., if  you have multiple local networks).  It will also include your DNS servers and the WAN gateway.  Finally, it will include the specific external IP (the WAN IP) of the firewall.

EXTERNAL_NET is then everything else (meaning every address not specified in HOME_NET), so the parameter !HOME_NET accomplishes this.  The exclamation point symbol is the NOT or negate symbol, so putting it in front of HOME_NET tells Snort to assume any IP address not a part of HOME_NET is External.

You can change these defaults by creating a custom Pass List and then assigning the name of that custom Pass List as the HOME_NET or EXTERNAL_NET parameter.  Once you create a Pass List, it will show up as a selection in the drop-down box for HOME_NET or EXTERNAL_NET on the INTERFACE SETTINGS tab.

Bill

I get what you mean, but it doesnt work.
External_net and home_net is their default values but I still get the "!any is not allowed in EXTERNAL_NET."

Is creating a passlist the only option for me?

You have something very wrong in the configuration information someplace.  If you have not used the package before, I suggest going to the GLOBAL SETTINGS tab and unchecking the box to "save settings" down near the bottom of the page.  This will wipe out the entire configuration when you uninstall the package.  Then remove the Snort package and reinstall it and configure again from a fresh start.

Bill

swetag

@bmeeks:

@swetag:

@bmeeks:

!any is invalid for EXTERNAL_NET.  The default settings for HOME_NET and EXTERNAL_NET are correct for almost every application.  The "any" keyword is most often used to indicate "all ports", but can also mean "all addresses".

HOME_NET, by default, will be configured by the Snort package to include your LAN address block along with any other locally attached networks (LAN1, LAN2, etc., if  you have multiple local networks).  It will also include your DNS servers and the WAN gateway.  Finally, it will include the specific external IP (the WAN IP) of the firewall.

EXTERNAL_NET is then everything else (meaning every address not specified in HOME_NET), so the parameter !HOME_NET accomplishes this.  The exclamation point symbol is the NOT or negate symbol, so putting it in front of HOME_NET tells Snort to assume any IP address not a part of HOME_NET is External.

You can change these defaults by creating a custom Pass List and then assigning the name of that custom Pass List as the HOME_NET or EXTERNAL_NET parameter.  Once you create a Pass List, it will show up as a selection in the drop-down box for HOME_NET or EXTERNAL_NET on the INTERFACE SETTINGS tab.

Bill

I get what you mean, but it doesnt work.
External_net and home_net is their default values but I still get the "!any is not allowed in EXTERNAL_NET."

Is creating a passlist the only option for me?

You have something very wrong in the configuration information someplace.  If you have not used the package before, I suggest going to the GLOBAL SETTINGS tab and unchecking the box to "save settings" down near the bottom of the page.  This will wipe out the entire configuration when you uninstall the package.  Then remove the Snort package and reinstall it and configure again from a fresh start.

Bill

I havent use it before, but now I have made sure that save thing isnt marked and uninstalled the packaged, how do i remove it?

bmeeks

If you uninstalled the package with the "Save Settings" checkbox unchecked, then all remnants of Snort were removed from your config.xml file which the firewall uses to store all of your configuration information.  So if you re-install the pacakge, it should behave as a 100% fresh install with no pre-existing configuration settings brought over.

Bill

swetag

@bmeeks:

If you uninstalled the package with the "Save Settings" checkbox unchecked, then all remnants of Snort were removed from your config.xml file which the firewall uses to store all of your configuration information.  So if you re-install the pacakge, it should behave as a 100% fresh install with no pre-existing configuration settings brought over.

Bill

Great.

So i uninstalled the package and reinstalled it, didnt help.
Installed suricate and it worked out of the box.
So I made a passlist and used that for external_net in snort instead, and it worked. But now the "!" infront of the IPs are gone, exactly like the home_net. In other words it says that my external_net is home_net now , but it worked somehow.
But when i added rules it stopped working again.
So i tried to find out exactly why it stops working and i have somewhat narrowed it down to the "emerging" rules, when i add one of them, snort stops working.

I have no idea whats going on anymore :P