Snort not working for me (again)



  • Since installing 1.0.1-SNAPSHOT-01-19-2007 - I've stopped getting any alerts from snort.

    I'm guessing it's to do with this message :```
    snort[8421]: /usr/local/etc/snort/snort.conf(89) Unable to create an IPSet from [192.168.1.0/24,/32,xx.x.xxx.xxx,192.168.1.2,,]

    (where xx.x.xxx.xxx is my external IP)
    
    Why am I getting the message and how do I make snort alert me to intrusions again?


  • Try reinstalling snort.



  • @sdale:

    Try reinstalling snort.

    I have, numerous times - Unfortunately it's still doing exactly the same :(



  • Looks like you might have an invalid IP address entered into your whitelist. Make sure all your whitelist entries entered in a xxx.xxx.xxx.xxx or xxx.xxx.xxx.xxx/xx format.

    @PC_Arcade:

    snort[8421]: /usr/local/etc/snort/snort.conf(89) Unable to create an IPSet from [192.168.1.0/24,/32,xx.x.xxx.xxx,192.168.1.2,,]
    

    I think the problem is with the ,/32, There should be an IP address before that /32, and there is not.



  • @sdale:

    Looks like you might have an invalid IP address entered into your whitelist. Make sure all your whitelist entries entered in a xxx.xxx.xxx.xxx or xxx.xxx.xxx.xxx/xx format.

    @PC_Arcade:

    snort[8421]: /usr/local/etc/snort/snort.conf(89) Unable to create an IPSet from [192.168.1.0/24,/32,xx.x.xxx.xxx,192.168.1.2,,]
    

    I think the problem is with the ,/32, There should be an IP address before that /32, and there is not.

    There was nothing in my whitelist (I don't want to whitelist anything until I'm sure snort is working), it looks as though that's not the ip it was looking for as after adding an ip to whitelist i get this :```
    snort[52956]: /usr/local/etc/snort/snort.conf(89) Unable to create an IPSet from [192.168.1.0/24,/32,xx.x.xxx.xxx,192.168.1.2,,192.168.1.100/24,]

    As you can see it's added the whitelisted ip to the the end (192.168.1.100) what is the second address and where do I change it so snort can pick it up?


  • 1. Enable ssh under General>Advanced
    2. Download the program WinSCP
      a. SSH into your LAN IP using WinSCP with the protocol set to SFTP (allow SCP fallback). 
    3. Browse to the location /usr/local/etc/snort
    4. Copy the file snort.conf to a local directory on your PC. Make sure to make a backup of this file before editing it.
    5. Open snort.conf using a text editor. Look for the line var HOME_NET …...  it should be near the top.

    These IP addresses listed are the IP addresses of all your interfaces plus any whitelist IPs you might have.

    So basically if you have a WAN and LAN interface, that like should look something like

    var HOME_NET [public WAn IP, LANIP]

    I think you need to remove those entries that do not have an IP before the netmask.



  • Aah, could it be that my wireless (opt1) interface is bridged with my LAN and snort isn't recognising that?



  • Possibly. Snort will only work on your WAN interface. Make sure that is the only interface you have it assigned to.



  • @sdale:

    Possibly. Snort will only work on your WAN interface. Make sure that is the only interface you have it assigned to.

    Yeah, I know and SNORT is / was only set to the one interface, I've tried pretty much everything bar changing the conf file (which given all the vnc messing about I'm not keen to do).

    I just thought that the missing IP could have come from that interface - god only knows though :(

    I'll keep playing and see if I can fix it (which is hard as I don't know what I'm looking for!)  ;D



  • Can you describe any changes that you made prior and up to you noticing that snort stopped working? I will see if I can duplicate.



  • None, I just started using the latest snapshot, I re-installed from scratch as well as something in my old xml backup caused pfsense to not boot :(

    I THINK it's caused by the fact I'm using DHCP and therefore the staticIP box is blank, it's the only /32 I can find with no IP address allocated (as I'm on a /24 network)



  • @PC_Arcade:

    I THINK it's caused by the fact I'm using DHCP and therefore the staticIP box is blank, it's the only /32 I can find with no IP address allocated (as I'm on a /24 network)

    Are you referring to DHCP on the WAN interface?



  • @sdale:

    @PC_Arcade:

    I THINK it's caused by the fact I'm using DHCP and therefore the staticIP box is blank, it's the only /32 I can find with no IP address allocated (as I'm on a /24 network)

    Are you referring to DHCP on the WAN interface?

    Sorry, I should have been clearer. Yes, DHCP on the WAN interface, the Static box on the WAN interface is the only occurence of /32 that I can find



  • Hmm. That shouldn't have any problems. I am using DHCP on the WAN interface and it enters the correct WAN IP for me.



  • I wouldn't read anything into it, I'm clutching at straws  ;D



  • No clue. I will update to the latest snapshot later and see if I have any troubles. Im running 12-19 snapshot right now with no problems.



  • Thanks sdale, your help is much appreciated



  • I updated to the 1-19 snapshot and snort is running properly for me. Not sure what could be your problem. ???



  • Any chance you're trying to run snort on multiple interfaces?



  • @submicron:

    Any chance you're trying to run snort on multiple interfaces?

    None whatsoever :(

    Weird, I'll stop using it again then.



  • Probably, however what I don't understand is how it's picking up an incorrect setting in the first place

    I'll try your suggestion later



  • OK, this is the line in my snort.conf :

    var HOME_NET [192.168.1.0/24,/32,86.3.142.145,192.168.1.2,,]

    however if I remove the ,/32, the file gets recreated when I save snort config and overwrites any changes I make :(

    any ideas?

    I can post the entire snort.conf file and the startup logs if it helps?

    There is another warning in the snort starup log though :
    snort[13576]: WARNING /usr/local/etc/snort/snort.conf(36) => flush_behavior set in config file, using old static flushpoints (0)

    Does that shed any light?



  • Do you remember if you recently updated your snort rules before you started having troubles?



  • The rules were updated, BUT so was my entire machine, I changed to the 19th's image (cos of the lovely new look gui!) and reinstalled from scratch, everything was upgraded



  • I'm not sure why, but I have problems starting snort when I have web-misc category checked. If you have that ruleset enabled, try disabling it and see if Snort will start up.



  • Not ticked, could this thread shed any light (or at least point to the fact that there's something odd going on with the HOME_NET line?) : http://forum.pfsense.org/index.php/topic,3427.0.html



  • @PC_Arcade:

    Not ticked, could this thread shed any light (or at least point to the fact that there's something odd going on with the HOME_NET line?) : http://forum.pfsense.org/index.php/topic,3427.0.html

    No, because that has already been fixed.



  • Has it?? What snapshot was it fixed in?



  • @PC_Arcade:

    Has it?? What snapshot was it fixed in?

    Those files do not reside in a snapshot.  They are on the server… Its a package file, not a base file.



  • OK, found and fixed the problem.

    If you have a wireless connection (opt1) bridged with LAN and you leave the IP address blank in the IP configuration box on the opt1 interface it causes the problems I was having.

    You have to un-bridge the connection put a (fake?) ip address in and then re-bridge the connection.

    That seems to fix it, although I need to give it a proper test


Log in to reply