Snort - Network Interface Mismatch
-
Hello,
i'm having problem with the snort package, i'm running 2.0 beta with the latest update in vmware workstation 7.0.
Each time i enabled snort in an interface and reboot when the machine starts it enter in a loop of Network Interface Mismatch – runing interface assigment option.i have installed the open vm-tools.
the unique solution i have found so far is reinstalling, but i have to begin all over again.
any suggestion to stop de network interface mismatch???
thankss
thanks
-
Please read this post. I am having the same issue. Is it doing the same thing? It may be duplicating your wan interface causing this.
Let me know if its the same issue. Anyone able to help with this? Any way to manually edit a file to remove the duplicate entry? I have replicated my issue in my post many times without fail.
-
yes, exactly having the same issue, after i enable snort on my wan interface it got duplicated.
beginning the Network Interface Mismatch problem.
-
One somewhat workaround that I found will allow you to run snort and all but the issue will come back if you change settings and re-save them
What I have done so far is setup pfsense the way I want it including packages. Get Snort installed and configured the way I want it. Yes it will duplicate the interface. Then I backup all the settings in pfsense. (the exported xml.)
Then I edit the xml and remove the duplicated interface. It is listed in the interface section but with no settings. So I delete it, then save. I then go to pfsense and select restore to defaults.
This will erase everything back to as if you just installed it. Then I reset lan interface IP so I can access the web config at the console.
Then once I am in the webgui I import the backup xml that I exported earlier. Then it will reinstall all packages and settings ect then reboot. When pfsense comes back, I will have all packages running including snort with all settings and no duplicated wan interface.
This is a pain in the butt to do all the time. However its the only work around I know of at them moment. Unless someone knows the exact file that I can edit to remove the duplicated interface so I dont get caught in that endless mismatch error.
-
A reduction/variation of the last workaround, to resolve this at the console I opened a shell, edited /conf/config.xml and removed the single bad line (in my case it was <re0>in the <interfaces>section) and restarted .. seems to be working fine.
Notes: This is a test install, I don't have any other packages, just snort which seemed to cause the problem, and it didn't need to reinstall or anything, it's running fine after the reboot.</interfaces></re0>
-
Ahh yea well that is what i was looking for. To the path of the config file to remove it. I will try that soon before I reboot to see if it fixes my prob. Thanks.
I was sure my process wasnt needed in its entirety but I didnt know what file on the machine to edit to remove it.This should make it tons easier.
-
when you removed that bogus line did it remove the entry in the interfaces menu? I removed my re0/ and havent rebooted yet but was wondering if it would update the menu. I was using the menu to see if the ghost interface was there before I would reboot.
-
FYI- if you edit the config at the command line, be sure to rm /tmp/config.cache when finished.
If you use the viconfig shortcut, this is handled automatically.
-
I found a case where it might be possible that the interface could be duplicated in certain conditions under snort.
If you could reinstall snort any time after 10:20am EDT today and then try to see if you can replicate the issue again.
-
I found a case where it might be possible that the interface could be duplicated in certain conditions under snort.
If you could reinstall snort any time after 10:20am EDT today and then try to see if you can replicate the issue again.
Excellent I will try that then.@jimp:
FYI- if you edit the config at the command line, be sure to rm /tmp/config.cache when finished.
If you use the viconfig shortcut, this is handled automatically.
I just edited the file via the webgui / edit file area. Can I just browse to the tmp location and delete the cache? Dont have a keyboard hooked up t the system at the moment.
-
Actually I found one more place that is more likely to have caused the problem. Reinstall again if you haven't yet done it.
As for editing via the GUI, you can rm /tmp/config.cache by Diagnostics > Command, and then just edit/save anywhere in the GUI to trigger a filter sync.
-
Actually I found one more place that is more likely to have caused the problem. Reinstall again if you haven't yet done it.
As for editing via the GUI, you can rm /tmp/config.cache by Diagnostics > Command, and then just edit/save anywhere in the GUI to trigger a filter sync.
Ok thanks. I will be able to do this later this evening. I appreciate the quick turn around on this.
-
I just updated the package, and it still has a problem. I deleted the "bad" line in config.xml and removed config.cache, went to snort Global Settings and hit save - at this point config.xml is still ok, I then hit Apply and it adds a bad line.
It's slightly different now, previously it was "<re0>" and now it's "" … but still there.</re0>
-
So at least it seems we're on the right track… :-)
I'll look for any other places where it might be doing anything like that kind of thing.
I made some changes in the base OS as well to see if things there might be affected, might not be in the next snap, but the one after it should have them.
-
OK, Efonne spotted another place that could have done this and I committed a fix and bumped the version of the snort package. Try it again, if you can.
-
OK, Efonne spotted another place that could have done this and I committed a fix and bumped the version of the snort package. Try it again, if you can.
I think you've got it fixed. However:
In testing again, I fixed the config file, removed the config.cache, verified the config was fixed (and even changed/saved a firewall rule to verify the save there didn't have the problem) - now updated to snort package version 1.35. I checked the config at this point and the "" was back again.
I fixed the config again, removed config.cache, and hit the snort Global Settings tab. save, apply … seems to be fixed. I ran around a number of snort menus and the problem didn't recur.
So... just beware you have to fix your config one last time after you update from a "bad" version (1.34).
-
Excellent work everyone! I will keep that in mind once I am able to test it.
-
Your fix on the snort package did the trick. I uninstalled/installed latest version and then attempted same save on the global settings and no more duplicate device. :-)
I didnt have the issue as posted above of having to delete the duplicate again (fixing the config file again)… Mine was good to go and I tried a few times with saving settings and no problems.
Thanks again for the quick fix to this issue!!!
