Snort not working for me (again)
-
@sdale:
Possibly. Snort will only work on your WAN interface. Make sure that is the only interface you have it assigned to.
Yeah, I know and SNORT is / was only set to the one interface, I've tried pretty much everything bar changing the conf file (which given all the vnc messing about I'm not keen to do).
I just thought that the missing IP could have come from that interface - god only knows though :(
I'll keep playing and see if I can fix it (which is hard as I don't know what I'm looking for!) ;D
-
Can you describe any changes that you made prior and up to you noticing that snort stopped working? I will see if I can duplicate.
-
None, I just started using the latest snapshot, I re-installed from scratch as well as something in my old xml backup caused pfsense to not boot :(
I THINK it's caused by the fact I'm using DHCP and therefore the staticIP box is blank, it's the only /32 I can find with no IP address allocated (as I'm on a /24 network)
-
I THINK it's caused by the fact I'm using DHCP and therefore the staticIP box is blank, it's the only /32 I can find with no IP address allocated (as I'm on a /24 network)
Are you referring to DHCP on the WAN interface?
-
@sdale:
I THINK it's caused by the fact I'm using DHCP and therefore the staticIP box is blank, it's the only /32 I can find with no IP address allocated (as I'm on a /24 network)
Are you referring to DHCP on the WAN interface?
Sorry, I should have been clearer. Yes, DHCP on the WAN interface, the Static box on the WAN interface is the only occurence of /32 that I can find
-
Hmm. That shouldn't have any problems. I am using DHCP on the WAN interface and it enters the correct WAN IP for me.
-
I wouldn't read anything into it, I'm clutching at straws ;D
-
No clue. I will update to the latest snapshot later and see if I have any troubles. Im running 12-19 snapshot right now with no problems.
-
Thanks sdale, your help is much appreciated
-
I updated to the 1-19 snapshot and snort is running properly for me. Not sure what could be your problem. ???
-
Any chance you're trying to run snort on multiple interfaces?
-
@submicron:
Any chance you're trying to run snort on multiple interfaces?
None whatsoever :(
Weird, I'll stop using it again then.
-
Probably, however what I don't understand is how it's picking up an incorrect setting in the first place
I'll try your suggestion later
-
OK, this is the line in my snort.conf :
var HOME_NET [192.168.1.0/24,/32,86.3.142.145,192.168.1.2,,]
however if I remove the ,/32, the file gets recreated when I save snort config and overwrites any changes I make :(
any ideas?
I can post the entire snort.conf file and the startup logs if it helps?
There is another warning in the snort starup log though :
snort[13576]: WARNING /usr/local/etc/snort/snort.conf(36) => flush_behavior set in config file, using old static flushpoints (0)Does that shed any light?
-
Do you remember if you recently updated your snort rules before you started having troubles?
-
The rules were updated, BUT so was my entire machine, I changed to the 19th's image (cos of the lovely new look gui!) and reinstalled from scratch, everything was upgraded
-
I'm not sure why, but I have problems starting snort when I have web-misc category checked. If you have that ruleset enabled, try disabling it and see if Snort will start up.
-
Not ticked, could this thread shed any light (or at least point to the fact that there's something odd going on with the HOME_NET line?) : http://forum.pfsense.org/index.php/topic,3427.0.html
-
Not ticked, could this thread shed any light (or at least point to the fact that there's something odd going on with the HOME_NET line?) : http://forum.pfsense.org/index.php/topic,3427.0.html
No, because that has already been fixed.
-
Has it?? What snapshot was it fixed in?