• Snort seems to have stopped working properly, it gives me this in the log :

    snort[11868]: FATAL ERROR: /usr/local/etc/snort/snort.conf(71) => Invalid ip_list to 'ignore_scanners' option

    Any ideas?

    (I've reinstalled and I still get the same error)

  • Try uninstall/reinstall the package. There have been some fixes few days ago.

  • @PC_Arcade:

    (I've reinstalled and I still get the same error)

    Yep, done that

  • Sounds like your whitelist might have been goofed up somehow. Try removing all Whitelist entries, and then try to start snort again. If it works then it must be a whitelist entry you had.

  • I have no whitelist and I've unticked Whitelist VPNs automatically.

    Still got exactly the same problem  ???

    I've also completely uninstalled and reinstalled, deleted snort.conf and reinstalled the xml. I have no idea now as to what else it could be

  • I ran into the same issue, at first the webGui would show Snort in a running state, yet dropping to a shell and running top didn't show the snort process running =/

    Wasn't sure if I was missing something cause I'm kinda new to *nix and FreeBSD

    I did a search for the Invalid ip_list to 'ignore_scanners' tag, and found one link on Snorts webpage, but no answers, so atleast I figured it's not an issue with pfSense.

    if you open up the file in question


    And goto line 71, you'll see the line in question, where snort fails to load
                    ignore_scanners { $HOME_NET }

    Now go back to the top of the file, and look for the variable $HOME_NET

    you'll see a list of IPs and subnets that are part of your home network, thus whitelisted by default via snort (I'm assuming… lol)


    var HOME_NET [,]

    I found I had ,/32 in a field with no IP range before it, I removed that, and restarted snort… now I can see it's running and now errors in the system logs.

  • It looks like any time there is a config change to the snort settings in pfSense it rewrites the snort.conf and puts in ,/32. I just keep changing it to show for it's local IP and starting snort and it runs.

    I'm running  1.0.1-SNAPSHOT-02-27-2007, and
                        snort package

  • It also looks like the white list is not working correctly.

    IPs I've white listed do show up in the HOME_NET variable of snort.conf, but I get my external DNS servers and my second external adapter blacklisted while snort is running.

    pfsense is plugged into a hub that splits the connection from my cable modem  and goes to pfSense, and my wifi router/dmz.

    I keep seeing snort alerts for

    (snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0! [ ** ] 
    03/06-21:50:51.235361 [removed for privacy] -> [removed for privacy]
    ICMP TTL:64 TOS:0x0 ID:19164 IpLen:20 DgmLen:56 DF 

    then it will blacklist those ips (even though they are whitelisted)

  • Hmm. Odd. I'll investigate, but so far I haven't seen that issue.

  • Yeah, Issue #1 is the main problem I've been having, next would be Issue #1 whitelisted machines getting blocked.

    Issue #1

    Each change or update to the config modifies snort.conf and ,/32 is added to the HOME_NET variable, then snort fails to start, manual modifcation to change it to reflect the hosts IP is required (i.e. then restart of snort

    Issue #2

    Snort is blacklisting whitelisted IPs, (namely my DNS servers and an additional server in my DMZ.

    This may be something I have to work out on my own, but as stated my setup is

    WiFi Router (external IP #1
    Cable Modem–-----Hub----<
                                            pfSense/Snotr(external IP #2

    Snort picks up traffic between the WiFi router (ext IP #1) and things like my DNS servers. this is where I get the error

    (snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0! [ ** ] 
    03/06-21:50:51.235361 [[b]External IP #1] -> [[b]DNS server]
    ICMP TTL:64 TOS:0x0 ID:19164 IpLen:20 DgmLen:56 DF

    Should I just add an additional NIC to pfSense, and rather then go inet,hub,split.. go Inet-> pfSense… thus bridging WAN to OPT1 and OPT2 on pfSense, and plug in my WiFi router into OPT2, giving it full * accesss... ( I don't wanna block anything for WiFi, I want full open access.) Only think is, snort will still function on that network as I'm listening on WAN...

    Could I listen on OPT1 instead? or would snort still function?

    [snort] OPT1 - Internal network
    I.e.  inet -> pfsense WAN <
                                          OPT2 - DMZ WiFi

    or would that work?

    Rather then
                              OPT1 - Internal network
    inet WAN [snort] <
                              OPT2 - WiFi DMZ