Problems with Snort and pppoe



  • Problems with Snort using PPPOE on WAN.  Snort works fine the first time I boot up pfSense,
    but every time I quit my dynamic pppoe connection, then try to reconnect,
    I get a connection just fine, but Snort craps out and fails to adjust to the new IP address on WAN.
    Problem has existed since I moved from Snort (old) to the current version(s).

    First post, but have been using pfsense since 10/08 and version 1.2.
    I am currently running pfsense v. 1.2.3 with Snort v 2.8.6.1 v 1.26
    I am running snort on WAN (dc0) and LAN (em0)
    I have been doing so with varying degrees of success since snort 2.8.4.1

    I have been having this problem since the move from snort-old.

    My server hardware is as follows:

    P4 1.8 ghz
    768 MB RAM  (with Snort on WAN and LAN ram runs around 31%)
    pppoe on WAN through a bridged Westell modem.
    my IP address is dynamic.

    The problem is that when I disconnect from WAN through Status>> Interfaces
    then try to reconnect, I reconnect fine, but snort craps out and I have to manually restart it.
    It resarts manually, then craps out again when I hang up then try to reconnect.

    When I first boot the pfsense box, everything starts up correctly the first time.
    It fires up my adsl connection automagically, and snort starts like it should.

    May be a separate issue, but sometimes I am getting a message similar to:
    Snort [####] FATAL ERROR s3c_parse_load_wl()>>Invalid data in whitelist file
    My whitelist file is empty and all such settings are set at default.
    but I digress… back to the problem at hand.

    Here are what I hope you will find to be pertinent logs.
    (seems to be posting everything twice--not sure what that's all about)

    Maybe an option either under WAN>>pppoe  or Services>>Snort>>Global Settings to "Automatically Reset Snort Whenever pppoe connection is reset" or something to that effect would help.  Dunno, as I am inexperienced with the bsd's at this point.  Anywhoo, your help is very much appreciated.

    So, here are the logs, starting from when it first boots successfully.

    Hope you can help.
    Anyway, thanks for trying.



  • Sorry to cause you so much work.  Will be great to see this working, though.
    Thanks for the status updates on your progress.  Really glad I joined this board.



  • Still Using 1.2.3-RELEASE
    I have updated from Snort 2.8.6 pkg v. 1.26  TO  Snort 2.8.6 pkg v. 1.27
    Not sure if this  version change was to address this specific issue,
    but with the version change I am having the same issue.

    My partial log is (hopefully) attached.
    Thank you for your help.

    partialsystemlog.txt



  • That's just it…I haven't added anything to my whitelist file, and on the GUI interface it appears empty.
    I guess theoretically it would just be those on my LAN (the default).

    On my LAN I'm using DHCP and have reserved a block of 10 IP's in the correct range,
    3 of which are currently being leased out.

    If there is a way to retrieve the file from terminal, I'd be happy to upload it, but on the GUI the Snort whitelist is empty.  I haven't added anything to it.  So I guess, let me know where/how to check/retrieve the file from terminal.

    Like I said before, I'm running Snort on WAN and LAN. and, actually, Snort occasionally blocks one of my internal IP's on LAN.  So, I guess it's not whitelisting them (I don't mind this behavior).

    Let me know if you still want the file, and if so, where to find it.
    (Sorry for not knowing more about the BSD/pfSense file system.)

    Regards,



  • I need to see this file (/usr/local/etc/snort/whitelist/defaultwlist).

    James



  • File Attached.

    defaultwlist.txt



  • Make sure the following line is not in the defaultwlist file.

    $ cat /usr/local/etc/snort/whitelist/defaultwlist

    Other than that I dont see anything wrong with the file.

    Please upload your snort.conf for that interface.

    James



  • $ cat /usr/local/etc/snort/whitelist/defaultwlist
    wasn"t in the file itself.
    It's how I obtained it from the GUI using Diagnostics/Command
    Be gentle, I'm a noob.

    Not sure what you mean by "for that interface",
    but I have attached a copy of the contents of /usr/local/etc/snort/snort.conf
    Hope it's what you're after.


    Just checking back in to see if you have been able to duplicate the snort
    "fail on pppoe reconnect" issue on your end.  And to see if the snort.conf.file I provided was what you needed.
    Sorry that I don't yet always know where to find the requested file(s).
    (I sometimes need guidance figuring out which directory to look in.)

    Sounds like you have a full plate working on Snort INLINE with pfSense v 2.0.
    Perhaps I should try that version.

    As to pfSense v1.2.3,  Snort-old seemed to work much better for me with PPPOE.
    Thank you, jamesdean, for all your help.

    Sincerely,

    snort.conf.txt


Locked