Snort "FATAL ERROR" when "Portscan Detection" is enabled



  • Hi,

    I'm using Pfsense 1.2.3 and Snort 2.8.6.

    When in the "Preprocessors" Tab I enable the “Enable Portscan Detection” option, Snort fails to start and I receive the following error in the System Logs:
    "System Logs snort[40889]: FATAL ERROR: /usr/local/etc/snort/snort_65214_em0/snort.conf(204) => Invalid ip_list to 'ignore_scanners' option."

    When I edit the file /usr/local/etc/snort/snort_65214_em0/snort.conf, in the var HOME_NET #link1 is included in the IPs.
    By deleting it (#link1 from the var HOME_NET) and restarting snort manually using "snort -D -c /usr/local/etc/snort/snort_65214_em0/snort.conf" , snort starts successfully.
    When I restart snort using the GUI, I receive the same error. Checking the same file, I found out that #link1 was written again in the same place.

    Any suggestion for a permanent work-around?

    Thanks

    Antonios



  • @atlasis:

    Hi,

    I'm using Pfsense 1.2.3 and Snort 2.8.6.

    When in the "Preprocessors" Tab I enable the “Enable Portscan Detection” option, Snort fails to start and I receive the following error in the System Logs:
    "System Logs snort[40889]: FATAL ERROR: /usr/local/etc/snort/snort_65214_em0/snort.conf(204) => Invalid ip_list to 'ignore_scanners' option."

    When I edit the file /usr/local/etc/snort/snort_65214_em0/snort.conf, in the var HOME_NET #link1 is included in the IPs.
    By deleting it (#link1 from the var HOME_NET) and restarting snort manually using "snort -D -c /usr/local/etc/snort/snort_65214_em0/snort.conf" , snort starts successfully.
    When I restart snort using the GUI, I receive the same error. Checking the same file, I found out that #link1 was written again in the same place.

    Any suggestion for a permanent work-around?

    Thanks

    Antonios

    Can you post line 204 in your snort.conf. "snort.conf(204) => Invalid ip_list to 'ignore_scanners'"

    Robert



  • Line 204: ignore_scanners { $HOME_NET }
    Line 41: var HOME_NET [172.16.1.0/24,192.168.56.101,[b]link#1,127.0.0.1]
    Deleting link#1 from this last line and starting snort manually, solves the problem temporarily.

    Thanks

    Antonios

    @jamesdean:

    @atlasis:

    Hi,

    I'm using Pfsense 1.2.3 and Snort 2.8.6.

    When in the "Preprocessors" Tab I enable the “Enable Portscan Detection” option, Snort fails to start and I receive the following error in the System Logs:
    "System Logs snort[40889]: FATAL ERROR: /usr/local/etc/snort/snort_65214_em0/snort.conf(204) => Invalid ip_list to 'ignore_scanners' option."

    When I edit the file /usr/local/etc/snort/snort_65214_em0/snort.conf, in the var HOME_NET #link1 is included in the IPs.
    By deleting it (#link1 from the var HOME_NET) and restarting snort manually using "snort -D -c /usr/local/etc/snort/snort_65214_em0/snort.conf" , snort starts successfully.
    When I restart snort using the GUI, I receive the same error. Checking the same file, I found out that #link1 was written again in the same place.

    Any suggestion for a permanent work-around?

    Thanks

    Antonios

    Can you post line 204 in your snort.conf. "snort.conf(204) => Invalid ip_list to 'ignore_scanners'"

    Robert



  • How man interfaces do you have and what are there names.

    Trying to figure out where #link1 is from.

    Robert



  • I'm using two interfaces; em0 (WAN - 192.168.56.101) and em1 (LAN - 172.16.1.30). It's a VirtualBox Image actually where I installed pfsense + snort to test it.

    #link1 reminds me IPv6 or am I mistaken?

    @jamesdean:

    How man interfaces do you have and what are there names.

    Trying to figure out where #link1 is from.

    Robert



  • I dont have ipv6. I guess since 2,0 uses ipv6 now so I have to code around this isse.

    I'll look into it after work today.

    Robert


  • Rebel Alliance Developer Netgate

    2.0 doesn't have ipv6 in it yet, but there is a popular addon (see the ipv6 board) that adds the work-in-progress ipv6 code. Anyone running that branch should be prepared for their own breakage. :-)



  • @jamesdean:

    I dont have ipv6. I guess since 2,0 uses ipv6 now so I have to code around this isse.

    I'll look into it after work today.

    Robert

    As I said at the beginning, I 'm using pfsense 1.2.3.
    Moreover, I haven't enabled IPv6 on purpose, but checking using ifconfig, IPv6 IS enabled by default.

    Hope that helps

    Antonios

    PS My argument that link#1 is due to IPv6 is just a guess (it rings a bell). I don't want to mislead you.



  • @jamesdean:

    I dont have ipv6. I guess since 2,0 uses ipv6 now so I have to code around this isse.

    I'll look into it after work today.

    Robert

    I tested this issue in pfsense 2.0RC1 and it works! I don't get any error. It seems that the problem is only in 1.2.3

    Regards

    Antonios


Log in to reply