Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort "FATAL ERROR" when "Portscan Detection" is enabled

    Scheduled Pinned Locked Moved pfSense Packages
    9 Posts 3 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      atlasis
      last edited by

      Hi,

      I'm using Pfsense 1.2.3 and Snort 2.8.6.

      When in the "Preprocessors" Tab I enable the “Enable Portscan Detection” option, Snort fails to start and I receive the following error in the System Logs:
      "System Logs snort[40889]: FATAL ERROR: /usr/local/etc/snort/snort_65214_em0/snort.conf(204) => Invalid ip_list to 'ignore_scanners' option."

      When I edit the file /usr/local/etc/snort/snort_65214_em0/snort.conf, in the var HOME_NET #link1 is included in the IPs.
      By deleting it (#link1 from the var HOME_NET) and restarting snort manually using "snort -D -c /usr/local/etc/snort/snort_65214_em0/snort.conf" , snort starts successfully.
      When I restart snort using the GUI, I receive the same error. Checking the same file, I found out that #link1 was written again in the same place.

      Any suggestion for a permanent work-around?

      Thanks

      Antonios

      1 Reply Last reply Reply Quote 0
      • J
        jamesdean
        last edited by

        @atlasis:

        Hi,

        I'm using Pfsense 1.2.3 and Snort 2.8.6.

        When in the "Preprocessors" Tab I enable the “Enable Portscan Detection” option, Snort fails to start and I receive the following error in the System Logs:
        "System Logs snort[40889]: FATAL ERROR: /usr/local/etc/snort/snort_65214_em0/snort.conf(204) => Invalid ip_list to 'ignore_scanners' option."

        When I edit the file /usr/local/etc/snort/snort_65214_em0/snort.conf, in the var HOME_NET #link1 is included in the IPs.
        By deleting it (#link1 from the var HOME_NET) and restarting snort manually using "snort -D -c /usr/local/etc/snort/snort_65214_em0/snort.conf" , snort starts successfully.
        When I restart snort using the GUI, I receive the same error. Checking the same file, I found out that #link1 was written again in the same place.

        Any suggestion for a permanent work-around?

        Thanks

        Antonios

        Can you post line 204 in your snort.conf. "snort.conf(204) => Invalid ip_list to 'ignore_scanners'"

        Robert

        1 Reply Last reply Reply Quote 0
        • A
          atlasis
          last edited by

          Line 204: ignore_scanners { $HOME_NET }
          Line 41: var HOME_NET [172.16.1.0/24,192.168.56.101,[b]link#1,127.0.0.1]
          Deleting link#1 from this last line and starting snort manually, solves the problem temporarily.

          Thanks

          Antonios

          @jamesdean:

          @atlasis:

          Hi,

          I'm using Pfsense 1.2.3 and Snort 2.8.6.

          When in the "Preprocessors" Tab I enable the “Enable Portscan Detection” option, Snort fails to start and I receive the following error in the System Logs:
          "System Logs snort[40889]: FATAL ERROR: /usr/local/etc/snort/snort_65214_em0/snort.conf(204) => Invalid ip_list to 'ignore_scanners' option."

          When I edit the file /usr/local/etc/snort/snort_65214_em0/snort.conf, in the var HOME_NET #link1 is included in the IPs.
          By deleting it (#link1 from the var HOME_NET) and restarting snort manually using "snort -D -c /usr/local/etc/snort/snort_65214_em0/snort.conf" , snort starts successfully.
          When I restart snort using the GUI, I receive the same error. Checking the same file, I found out that #link1 was written again in the same place.

          Any suggestion for a permanent work-around?

          Thanks

          Antonios

          Can you post line 204 in your snort.conf. "snort.conf(204) => Invalid ip_list to 'ignore_scanners'"

          Robert

          1 Reply Last reply Reply Quote 0
          • J
            jamesdean
            last edited by

            How man interfaces do you have and what are there names.

            Trying to figure out where #link1 is from.

            Robert

            1 Reply Last reply Reply Quote 0
            • A
              atlasis
              last edited by

              I'm using two interfaces; em0 (WAN - 192.168.56.101) and em1 (LAN - 172.16.1.30). It's a VirtualBox Image actually where I installed pfsense + snort to test it.

              #link1 reminds me IPv6 or am I mistaken?

              @jamesdean:

              How man interfaces do you have and what are there names.

              Trying to figure out where #link1 is from.

              Robert

              1 Reply Last reply Reply Quote 0
              • J
                jamesdean
                last edited by

                I dont have ipv6. I guess since 2,0 uses ipv6 now so I have to code around this isse.

                I'll look into it after work today.

                Robert

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  2.0 doesn't have ipv6 in it yet, but there is a popular addon (see the ipv6 board) that adds the work-in-progress ipv6 code. Anyone running that branch should be prepared for their own breakage. :-)

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • A
                    atlasis
                    last edited by

                    @jamesdean:

                    I dont have ipv6. I guess since 2,0 uses ipv6 now so I have to code around this isse.

                    I'll look into it after work today.

                    Robert

                    As I said at the beginning, I 'm using pfsense 1.2.3.
                    Moreover, I haven't enabled IPv6 on purpose, but checking using ifconfig, IPv6 IS enabled by default.

                    Hope that helps

                    Antonios

                    PS My argument that link#1 is due to IPv6 is just a guess (it rings a bell). I don't want to mislead you.

                    1 Reply Last reply Reply Quote 0
                    • A
                      atlasis
                      last edited by

                      @jamesdean:

                      I dont have ipv6. I guess since 2,0 uses ipv6 now so I have to code around this isse.

                      I'll look into it after work today.

                      Robert

                      I tested this issue in pfsense 2.0RC1 and it works! I don't get any error. It seems that the problem is only in 1.2.3

                      Regards

                      Antonios

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.