Snort not working anymore



  • Snort seems to have stopped working properly, it gives me this in the log :

    snort[11868]: FATAL ERROR: /usr/local/etc/snort/snort.conf(71) => Invalid ip_list to 'ignore_scanners' option

    Any ideas?

    (I've reinstalled and I still get the same error)



  • Try uninstall/reinstall the package. There have been some fixes few days ago.



  • @PC_Arcade:

    (I've reinstalled and I still get the same error)

    Yep, done that



  • Sounds like your whitelist might have been goofed up somehow. Try removing all Whitelist entries, and then try to start snort again. If it works then it must be a whitelist entry you had.



  • I have no whitelist and I've unticked Whitelist VPNs automatically.

    Still got exactly the same problem  ???

    I've also completely uninstalled and reinstalled, deleted snort.conf and reinstalled the xml. I have no idea now as to what else it could be



  • I ran into the same issue, at first the webGui would show Snort in a running state, yet dropping to a shell and running top didn't show the snort process running =/

    Wasn't sure if I was missing something cause I'm kinda new to *nix and FreeBSD

    I did a search for the Invalid ip_list to 'ignore_scanners' tag, and found one link on Snorts webpage, but no answers, so atleast I figured it's not an issue with pfSense.

    if you open up the file in question

    /usr/local/etc/snort/snort.conf

    And goto line 71, you'll see the line in question, where snort fails to load
                    ignore_scanners { $HOME_NET }

    Now go back to the top of the file, and look for the variable $HOME_NET

    you'll see a list of IPs and subnets that are part of your home network, thus whitelisted by default via snort (I'm assuming… lol)

    i.e.

    var HOME_NET [10.0.1.0/24,192.168.0.1]

    I found I had ,/32 in a field with no IP range before it, I removed that, and restarted snort… now I can see it's running and now errors in the system logs.



  • It looks like any time there is a config change to the snort settings in pfSense it rewrites the snort.conf and puts in ,/32. I just keep changing it to show 10.0.1.2/32 for it's local IP and starting snort and it runs.

    I'm running  1.0.1-SNAPSHOT-02-27-2007, and
                        snort package 2.6.1.3_2



  • It also looks like the white list is not working correctly.

    IPs I've white listed do show up in the HOME_NET variable of snort.conf, but I get my external DNS servers and my second external adapter blacklisted while snort is running.

    pfsense is plugged into a hub that splits the connection from my cable modem  and goes to pfSense, and my wifi router/dmz.

    I keep seeing snort alerts for

    (snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0! [ ** ] 
    03/06-21:50:51.235361 [removed for privacy] -> [removed for privacy]
    ICMP TTL:64 TOS:0x0 ID:19164 IpLen:20 DgmLen:56 DF 
    Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE 
    ** ORIGINAL DATAGRAM DUMP:

    then it will blacklist those ips (even though they are whitelisted)



  • Hmm. Odd. I'll investigate, but so far I haven't seen that issue.



  • Yeah, Issue #1 is the main problem I've been having, next would be Issue #1 whitelisted machines getting blocked.

    Issue #1

    Each change or update to the config modifies snort.conf and ,/32 is added to the HOME_NET variable, then snort fails to start, manual modifcation to change it to reflect the hosts IP is required (i.e. 10.0.1.2/32) then restart of snort

    Issue #2

    Snort is blacklisting whitelisted IPs, (namely my DNS servers and an additional server in my DMZ.

    This may be something I have to work out on my own, but as stated my setup is

    WiFi Router (external IP #1
    Cable Modem–-----Hub----<
                                            pfSense/Snotr(external IP #2

    Snort picks up traffic between the WiFi router (ext IP #1) and things like my DNS servers. this is where I get the error

    (snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0! [ ** ] 
    03/06-21:50:51.235361 [[b]External IP #1] -> [[b]DNS server]
    ICMP TTL:64 TOS:0x0 ID:19164 IpLen:20 DgmLen:56 DF
    Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
    ** ORIGINAL DATAGRAM DUMP:

    Should I just add an additional NIC to pfSense, and rather then go inet,hub,split.. go Inet-> pfSense… thus bridging WAN to OPT1 and OPT2 on pfSense, and plug in my WiFi router into OPT2, giving it full * accesss... ( I don't wanna block anything for WiFi, I want full open access.) Only think is, snort will still function on that network as I'm listening on WAN...

    Could I listen on OPT1 instead? or would snort still function?

    [snort] OPT1 - Internal network
    I.e.  inet -> pfsense WAN <
                                          OPT2 - DMZ WiFi

    or would that work?

    Rather then
                              OPT1 - Internal network
    inet WAN [snort] <
                              OPT2 - WiFi DMZ


Log in to reply