Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Help plz - problem with snort

    IDS/IPS
    3
    10
    1404
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      swetag last edited by

      I have a new, freshly installed pfsense on its own dedicated hardware, no VM here ;)
      So far i like it, but i cant get Snort to function correctly.

      This is what System Logs say:
      snort 8112 FATAL ERROR: /usr/local/etc/snort/snort_18474_igb0/snort.conf(6) !any is not allowed in EXTERNAL_NET.
      php-fpm 5567 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 18474 -D -q –suppress-config-log -l /var/log/snort/snort_igb018474 --pid-path /var/run --nolock-pidfile -G 18474 -c /usr/local/etc/snort/snort_18474_igb0/snort.conf -i igb0' returned exit code '1', the output was ''

      I have reinstalled snort, disable rules and reenabled them, reboot pfsense, looked att guides and tutorials and followed step by step but nothing seems to fix this.

      Any idea?

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        So what version of pfsense are you running for starters?  pretty sure click install package and its up and running..  So your saying you get that error before doing any config?  Or what is your config your trying to do?

        This seems like a major sort of issue

        !any is not allowed in EXTERNAL_NET.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 23.01 | Lab VMs CE 2.6, 2.7

        1 Reply Last reply Reply Quote 0
        • bmeeks
          bmeeks last edited by

          Did you try to configure the $EXTERNAL_NET variable yourself perhaps?  Snort is saying the value of "!any" is invalid (and it is).  Typically EXTERNAL_NET is defined as "!HOME_NET" (meaning all addresses not explicitly defined as HOME_NET are assumed to be external and thus in EXTERNAL_NET).  In Snort, HOME_NET represents networks to be protected (and usually, but not always, trusted).  EXTERNAL_NET usually represents the bad guys (as in the Internet).

          As @johnpoz asked, it would be helpful to know the version of Snort package and pfSense that you are using.

          Bill

          1 Reply Last reply Reply Quote 0
          • S
            swetag last edited by

            @bmeeks:

            Did you try to configure the $EXTERNAL_NET variable yourself perhaps?  Snort is saying the value of "!any" is invalid (and it is).  Typically EXTERNAL_NET is defined as "!HOME_NET" (meaning all addresses not explicitly defined as HOME_NET are assumed to be external and thus in EXTERNAL_NET).  In Snort, HOME_NET represents networks to be protected (and usually, but not always, trusted).  EXTERNAL_NET usually represents the bad guys (as in the Internet).

            As @johnpoz asked, it would be helpful to know the version of Snort package and pfSense that you are using.

            Bill

            I have not configured external_net, or anything else yet, its all default values.
            why is !any invalid? dont i want my IPs to be trusted and the rest (!home_net in other words) to be untrusted?

            The versions that i use is the lastest according to pfsense: Snort 3.2.9.1_14

            When i look in the Snort interface/settings/network. The "home_net" default list contains the IP of the subnet, wan, router and dns.
            But when i look in the "external_net" default list it contains the same IPs as the "home_net" with "!" infront of them.

            Any idee how i go from here?

            1 Reply Last reply Reply Quote 0
            • bmeeks
              bmeeks last edited by

              !any is invalid for EXTERNAL_NET.  The default settings for HOME_NET and EXTERNAL_NET are correct for almost every application.  The "any" keyword is most often used to indicate "all ports", but can also mean "all addresses".

              HOME_NET, by default, will be configured by the Snort package to include your LAN address block along with any other locally attached networks (LAN1, LAN2, etc., if  you have multiple local networks).  It will also include your DNS servers and the WAN gateway.  Finally, it will include the specific external IP (the WAN IP) of the firewall.

              EXTERNAL_NET is then everything else (meaning every address not specified in HOME_NET), so the parameter !HOME_NET accomplishes this.  The exclamation point symbol is the NOT or negate symbol, so putting it in front of HOME_NET tells Snort to assume any IP address not a part of HOME_NET is External.

              You can change these defaults by creating a custom Pass List and then assigning the name of that custom Pass List as the HOME_NET or EXTERNAL_NET parameter.  Once you create a Pass List, it will show up as a selection in the drop-down box for HOME_NET or EXTERNAL_NET on the INTERFACE SETTINGS tab.

              Bill

              1 Reply Last reply Reply Quote 0
              • S
                swetag last edited by

                @bmeeks:

                !any is invalid for EXTERNAL_NET.  The default settings for HOME_NET and EXTERNAL_NET are correct for almost every application.  The "any" keyword is most often used to indicate "all ports", but can also mean "all addresses".

                HOME_NET, by default, will be configured by the Snort package to include your LAN address block along with any other locally attached networks (LAN1, LAN2, etc., if  you have multiple local networks).  It will also include your DNS servers and the WAN gateway.  Finally, it will include the specific external IP (the WAN IP) of the firewall.

                EXTERNAL_NET is then everything else (meaning every address not specified in HOME_NET), so the parameter !HOME_NET accomplishes this.  The exclamation point symbol is the NOT or negate symbol, so putting it in front of HOME_NET tells Snort to assume any IP address not a part of HOME_NET is External.

                You can change these defaults by creating a custom Pass List and then assigning the name of that custom Pass List as the HOME_NET or EXTERNAL_NET parameter.  Once you create a Pass List, it will show up as a selection in the drop-down box for HOME_NET or EXTERNAL_NET on the INTERFACE SETTINGS tab.

                Bill

                I get what you mean, but it doesnt work.
                External_net and home_net is their default values but I still get the "!any is not allowed in EXTERNAL_NET."

                Is creating a passlist the only option for me?

                1 Reply Last reply Reply Quote 0
                • bmeeks
                  bmeeks last edited by

                  @swetag:

                  @bmeeks:

                  !any is invalid for EXTERNAL_NET.  The default settings for HOME_NET and EXTERNAL_NET are correct for almost every application.  The "any" keyword is most often used to indicate "all ports", but can also mean "all addresses".

                  HOME_NET, by default, will be configured by the Snort package to include your LAN address block along with any other locally attached networks (LAN1, LAN2, etc., if  you have multiple local networks).  It will also include your DNS servers and the WAN gateway.  Finally, it will include the specific external IP (the WAN IP) of the firewall.

                  EXTERNAL_NET is then everything else (meaning every address not specified in HOME_NET), so the parameter !HOME_NET accomplishes this.  The exclamation point symbol is the NOT or negate symbol, so putting it in front of HOME_NET tells Snort to assume any IP address not a part of HOME_NET is External.

                  You can change these defaults by creating a custom Pass List and then assigning the name of that custom Pass List as the HOME_NET or EXTERNAL_NET parameter.  Once you create a Pass List, it will show up as a selection in the drop-down box for HOME_NET or EXTERNAL_NET on the INTERFACE SETTINGS tab.

                  Bill

                  I get what you mean, but it doesnt work.
                  External_net and home_net is their default values but I still get the "!any is not allowed in EXTERNAL_NET."

                  Is creating a passlist the only option for me?

                  You have something very wrong in the configuration information someplace.  If you have not used the package before, I suggest going to the GLOBAL SETTINGS tab and unchecking the box to "save settings" down near the bottom of the page.  This will wipe out the entire configuration when you uninstall the package.  Then remove the Snort package and reinstall it and configure again from a fresh start.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • S
                    swetag last edited by

                    @bmeeks:

                    @swetag:

                    @bmeeks:

                    !any is invalid for EXTERNAL_NET.  The default settings for HOME_NET and EXTERNAL_NET are correct for almost every application.  The "any" keyword is most often used to indicate "all ports", but can also mean "all addresses".

                    HOME_NET, by default, will be configured by the Snort package to include your LAN address block along with any other locally attached networks (LAN1, LAN2, etc., if  you have multiple local networks).  It will also include your DNS servers and the WAN gateway.  Finally, it will include the specific external IP (the WAN IP) of the firewall.

                    EXTERNAL_NET is then everything else (meaning every address not specified in HOME_NET), so the parameter !HOME_NET accomplishes this.  The exclamation point symbol is the NOT or negate symbol, so putting it in front of HOME_NET tells Snort to assume any IP address not a part of HOME_NET is External.

                    You can change these defaults by creating a custom Pass List and then assigning the name of that custom Pass List as the HOME_NET or EXTERNAL_NET parameter.  Once you create a Pass List, it will show up as a selection in the drop-down box for HOME_NET or EXTERNAL_NET on the INTERFACE SETTINGS tab.

                    Bill

                    I get what you mean, but it doesnt work.
                    External_net and home_net is their default values but I still get the "!any is not allowed in EXTERNAL_NET."

                    Is creating a passlist the only option for me?

                    You have something very wrong in the configuration information someplace.  If you have not used the package before, I suggest going to the GLOBAL SETTINGS tab and unchecking the box to "save settings" down near the bottom of the page.  This will wipe out the entire configuration when you uninstall the package.  Then remove the Snort package and reinstall it and configure again from a fresh start.

                    Bill

                    I havent use it before, but now I have made sure that save thing isnt marked and uninstalled the packaged, how do i remove it?

                    1 Reply Last reply Reply Quote 0
                    • bmeeks
                      bmeeks last edited by

                      If you uninstalled the package with the "Save Settings" checkbox unchecked, then all remnants of Snort were removed from your config.xml file which the firewall uses to store all of your configuration information.  So if you re-install the pacakge, it should behave as a 100% fresh install with no pre-existing configuration settings brought over.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • S
                        swetag last edited by

                        @bmeeks:

                        If you uninstalled the package with the "Save Settings" checkbox unchecked, then all remnants of Snort were removed from your config.xml file which the firewall uses to store all of your configuration information.  So if you re-install the pacakge, it should behave as a 100% fresh install with no pre-existing configuration settings brought over.

                        Bill

                        Great.

                        So i uninstalled the package and reinstalled it, didnt help.
                        Installed suricate and it worked out of the box.
                        So I made a passlist and used that for external_net in snort instead, and it worked. But now the "!" infront of the IPs are gone, exactly like the home_net. In other words it says that my external_net is home_net now , but it worked somehow.
                        But when i added rules it stopped working again.
                        So i tried to find out exactly why it stops working and i have somewhat narrowed it down to the "emerging" rules, when i add one of them, snort stops working.

                        I have no idea whats going on anymore :P

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post