Snort fails to start if ignore_scanners contains to many host

  • Hello All,

    i have Snort setup with a Alias list for Snort -> WAN -> WAN PreProcs -> Ignore Scanners set to my Alias list from Firewall -> Aliases. Its been working fine but i keep getting blocks by Google over and over and today i got fetup and added all the Google Host CIDRs to my alias list and now snort wlan wont start. It seems that it starts to read the list and when it hits some limit, it adds a ,/, within the snort.conf and fails to start the WLAN interface. Depending on how i add the google ips to the alias, the ,/, entry moves around in the list below.

    Does anyone know of a limit with snort reading from a alias list? do you have any workarounds for me to get this added?

    Mar 26 21:21:44	php-fpm	22691	/snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 24280 -D -q --suppress-config-log -l /var/log/snort/snort_em0_vlan3524280 --pid-path /var/run --nolock-pidfile -G 24280 -c /usr/local/etc/snort/snort_24280_em0_vlan35/snort.conf -i em0_vlan35' returned exit code '1', the output was ''
    Mar 26 21:21:44	snort	53892	FATAL ERROR: /usr/local/etc/snort/snort_24280_em0_vlan35/snort.conf(354) => Invalid ip_list to 'ignore_scanners' option.
    Mar 26 21:21:44	php-fpm	22691	/snort/snort_interfaces.php: [Snort] Snort START for WAN(em0_vlan35)...
    # sf Portscan #
    preprocessor sfportscan: \
    	scan_type { all } \
    	proto  { all } \
    	memcap { 10000000 } \
    	sense_level { medium } \
    	ignore_scanners {,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,[b],\,[/b],,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, }

  • Consider to manual you should use it in such way

    ignore_scanned { Snort IP List }

    Snort IP List you can create by this guide

Log in to reply