3. Snort "FATAL ERROR" when "Portscan Detection" is enabled

Snort "FATAL ERROR" when "Portscan Detection" is enabled

  • A

    Hi,

    I'm using Pfsense 1.2.3 and Snort 2.8.6.

    When in the "Preprocessors" Tab I enable the “Enable Portscan Detection” option, Snort fails to start and I receive the following error in the System Logs:
    "System Logs snort[40889]: FATAL ERROR: /usr/local/etc/snort/snort_65214_em0/snort.conf(204) => Invalid ip_list to 'ignore_scanners' option."

    When I edit the file /usr/local/etc/snort/snort_65214_em0/snort.conf, in the var HOME_NET #link1 is included in the IPs.
    By deleting it (#link1 from the var HOME_NET) and restarting snort manually using "snort -D -c /usr/local/etc/snort/snort_65214_em0/snort.conf" , snort starts successfully.
    When I restart snort using the GUI, I receive the same error. Checking the same file, I found out that #link1 was written again in the same place.

    Any suggestion for a permanent work-around?

    Thanks

    Antonios

    0
  • J

    @atlasis:

    Hi,

    I'm using Pfsense 1.2.3 and Snort 2.8.6.

    When in the "Preprocessors" Tab I enable the “Enable Portscan Detection” option, Snort fails to start and I receive the following error in the System Logs:
    "System Logs snort[40889]: FATAL ERROR: /usr/local/etc/snort/snort_65214_em0/snort.conf(204) => Invalid ip_list to 'ignore_scanners' option."

    When I edit the file /usr/local/etc/snort/snort_65214_em0/snort.conf, in the var HOME_NET #link1 is included in the IPs.
    By deleting it (#link1 from the var HOME_NET) and restarting snort manually using "snort -D -c /usr/local/etc/snort/snort_65214_em0/snort.conf" , snort starts successfully.
    When I restart snort using the GUI, I receive the same error. Checking the same file, I found out that #link1 was written again in the same place.

    Any suggestion for a permanent work-around?

    Thanks

    Antonios

    Can you post line 204 in your snort.conf. "snort.conf(204) => Invalid ip_list to 'ignore_scanners'"

    Robert

    0
  • A

    Line 204: ignore_scanners { $HOME_NET }
    Line 41: var HOME_NET [172.16.1.0/24,192.168.56.101,[b]link#1,127.0.0.1]
    Deleting link#1 from this last line and starting snort manually, solves the problem temporarily.

    Thanks

    Antonios

    @jamesdean:

    @atlasis:

    Hi,

    I'm using Pfsense 1.2.3 and Snort 2.8.6.

    When in the "Preprocessors" Tab I enable the “Enable Portscan Detection” option, Snort fails to start and I receive the following error in the System Logs:
    "System Logs snort[40889]: FATAL ERROR: /usr/local/etc/snort/snort_65214_em0/snort.conf(204) => Invalid ip_list to 'ignore_scanners' option."

    When I edit the file /usr/local/etc/snort/snort_65214_em0/snort.conf, in the var HOME_NET #link1 is included in the IPs.
    By deleting it (#link1 from the var HOME_NET) and restarting snort manually using "snort -D -c /usr/local/etc/snort/snort_65214_em0/snort.conf" , snort starts successfully.
    When I restart snort using the GUI, I receive the same error. Checking the same file, I found out that #link1 was written again in the same place.

    Any suggestion for a permanent work-around?

    Thanks

    Antonios

    Can you post line 204 in your snort.conf. "snort.conf(204) => Invalid ip_list to 'ignore_scanners'"

    Robert

    0
  • J

    How man interfaces do you have and what are there names.

    Trying to figure out where #link1 is from.

    Robert

    0
  • A

    I'm using two interfaces; em0 (WAN - 192.168.56.101) and em1 (LAN - 172.16.1.30). It's a VirtualBox Image actually where I installed pfsense + snort to test it.

    #link1 reminds me IPv6 or am I mistaken?

    @jamesdean:

    How man interfaces do you have and what are there names.

    Trying to figure out where #link1 is from.

    Robert

    0
  • J

    I dont have ipv6. I guess since 2,0 uses ipv6 now so I have to code around this isse.

    I'll look into it after work today.

    Robert

    0
  • Rebel Alliance Developer Netgate

    2.0 doesn't have ipv6 in it yet, but there is a popular addon (see the ipv6 board) that adds the work-in-progress ipv6 code. Anyone running that branch should be prepared for their own breakage. :-)

    0
  • A

    @jamesdean:

    I dont have ipv6. I guess since 2,0 uses ipv6 now so I have to code around this isse.

    I'll look into it after work today.

    Robert

    As I said at the beginning, I 'm using pfsense 1.2.3.
    Moreover, I haven't enabled IPv6 on purpose, but checking using ifconfig, IPv6 IS enabled by default.

    Hope that helps

    Antonios

    PS My argument that link#1 is due to IPv6 is just a guess (it rings a bell). I don't want to mislead you.

    0
  • A

    @jamesdean:

    I dont have ipv6. I guess since 2,0 uses ipv6 now so I have to code around this isse.

    I'll look into it after work today.

    Robert

    I tested this issue in pfsense 2.0RC1 and it works! I don't get any error. It seems that the problem is only in 1.2.3

    Regards

    Antonios

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy