Snort not working for me (again)
-
Since installing 1.0.1-SNAPSHOT-01-19-2007 - I've stopped getting any alerts from snort.
I'm guessing it's to do with this message :```
snort[8421]: /usr/local/etc/snort/snort.conf(89) Unable to create an IPSet from [192.168.1.0/24,/32,xx.x.xxx.xxx,192.168.1.2,,](where xx.x.xxx.xxx is my external IP) Why am I getting the message and how do I make snort alert me to intrusions again?
-
Try reinstalling snort.
-
@sdale:
Try reinstalling snort.
I have, numerous times - Unfortunately it's still doing exactly the same :(
-
Looks like you might have an invalid IP address entered into your whitelist. Make sure all your whitelist entries entered in a xxx.xxx.xxx.xxx or xxx.xxx.xxx.xxx/xx format.
snort[8421]: /usr/local/etc/snort/snort.conf(89) Unable to create an IPSet from [192.168.1.0/24,/32,xx.x.xxx.xxx,192.168.1.2,,]
I think the problem is with the ,/32, There should be an IP address before that /32, and there is not.
-
@sdale:
Looks like you might have an invalid IP address entered into your whitelist. Make sure all your whitelist entries entered in a xxx.xxx.xxx.xxx or xxx.xxx.xxx.xxx/xx format.
snort[8421]: /usr/local/etc/snort/snort.conf(89) Unable to create an IPSet from [192.168.1.0/24,/32,xx.x.xxx.xxx,192.168.1.2,,]
I think the problem is with the ,/32, There should be an IP address before that /32, and there is not.
There was nothing in my whitelist (I don't want to whitelist anything until I'm sure snort is working), it looks as though that's not the ip it was looking for as after adding an ip to whitelist i get this :```
snort[52956]: /usr/local/etc/snort/snort.conf(89) Unable to create an IPSet from [192.168.1.0/24,/32,xx.x.xxx.xxx,192.168.1.2,,192.168.1.100/24,]As you can see it's added the whitelisted ip to the the end (192.168.1.100) what is the second address and where do I change it so snort can pick it up?
-
1. Enable ssh under General>Advanced
2. Download the program WinSCP
a. SSH into your LAN IP using WinSCP with the protocol set to SFTP (allow SCP fallback).
3. Browse to the location /usr/local/etc/snort
4. Copy the file snort.conf to a local directory on your PC. Make sure to make a backup of this file before editing it.
5. Open snort.conf using a text editor. Look for the line var HOME_NET …... it should be near the top.These IP addresses listed are the IP addresses of all your interfaces plus any whitelist IPs you might have.
So basically if you have a WAN and LAN interface, that like should look something like
var HOME_NET [public WAn IP, LANIP]
I think you need to remove those entries that do not have an IP before the netmask.
-
Aah, could it be that my wireless (opt1) interface is bridged with my LAN and snort isn't recognising that?
-
Possibly. Snort will only work on your WAN interface. Make sure that is the only interface you have it assigned to.
-
@sdale:
Possibly. Snort will only work on your WAN interface. Make sure that is the only interface you have it assigned to.
Yeah, I know and SNORT is / was only set to the one interface, I've tried pretty much everything bar changing the conf file (which given all the vnc messing about I'm not keen to do).
I just thought that the missing IP could have come from that interface - god only knows though :(
I'll keep playing and see if I can fix it (which is hard as I don't know what I'm looking for!) ;D
-
Can you describe any changes that you made prior and up to you noticing that snort stopped working? I will see if I can duplicate.
-
None, I just started using the latest snapshot, I re-installed from scratch as well as something in my old xml backup caused pfsense to not boot :(
I THINK it's caused by the fact I'm using DHCP and therefore the staticIP box is blank, it's the only /32 I can find with no IP address allocated (as I'm on a /24 network)
-
I THINK it's caused by the fact I'm using DHCP and therefore the staticIP box is blank, it's the only /32 I can find with no IP address allocated (as I'm on a /24 network)
Are you referring to DHCP on the WAN interface?
-
@sdale:
I THINK it's caused by the fact I'm using DHCP and therefore the staticIP box is blank, it's the only /32 I can find with no IP address allocated (as I'm on a /24 network)
Are you referring to DHCP on the WAN interface?
Sorry, I should have been clearer. Yes, DHCP on the WAN interface, the Static box on the WAN interface is the only occurence of /32 that I can find
-
Hmm. That shouldn't have any problems. I am using DHCP on the WAN interface and it enters the correct WAN IP for me.
-
I wouldn't read anything into it, I'm clutching at straws ;D
-
No clue. I will update to the latest snapshot later and see if I have any troubles. Im running 12-19 snapshot right now with no problems.
-
Thanks sdale, your help is much appreciated
-
I updated to the 1-19 snapshot and snort is running properly for me. Not sure what could be your problem. ???
-
Any chance you're trying to run snort on multiple interfaces?
-
@submicron:
Any chance you're trying to run snort on multiple interfaces?
None whatsoever :(
Weird, I'll stop using it again then.