Snort not working anymore
-
Snort seems to have stopped working properly, it gives me this in the log :
snort[11868]: FATAL ERROR: /usr/local/etc/snort/snort.conf(71) => Invalid ip_list to 'ignore_scanners' option
Any ideas?
(I've reinstalled and I still get the same error)
-
Try uninstall/reinstall the package. There have been some fixes few days ago.
-
-
Sounds like your whitelist might have been goofed up somehow. Try removing all Whitelist entries, and then try to start snort again. If it works then it must be a whitelist entry you had.
-
I have no whitelist and I've unticked Whitelist VPNs automatically.
Still got exactly the same problem ???
I've also completely uninstalled and reinstalled, deleted snort.conf and reinstalled the xml. I have no idea now as to what else it could be
-
I ran into the same issue, at first the webGui would show Snort in a running state, yet dropping to a shell and running top didn't show the snort process running =/
Wasn't sure if I was missing something cause I'm kinda new to *nix and FreeBSD
I did a search for the Invalid ip_list to 'ignore_scanners' tag, and found one link on Snorts webpage, but no answers, so atleast I figured it's not an issue with pfSense.
if you open up the file in question
/usr/local/etc/snort/snort.conf
And goto line 71, you'll see the line in question, where snort fails to load
ignore_scanners { $HOME_NET }Now go back to the top of the file, and look for the variable $HOME_NET
you'll see a list of IPs and subnets that are part of your home network, thus whitelisted by default via snort (I'm assuming… lol)
i.e.
var HOME_NET [10.0.1.0/24,192.168.0.1]
I found I had ,/32 in a field with no IP range before it, I removed that, and restarted snort… now I can see it's running and now errors in the system logs.
-
It looks like any time there is a config change to the snort settings in pfSense it rewrites the snort.conf and puts in ,/32. I just keep changing it to show 10.0.1.2/32 for it's local IP and starting snort and it runs.
I'm running 1.0.1-SNAPSHOT-02-27-2007, and
snort package 2.6.1.3_2 -
It also looks like the white list is not working correctly.
IPs I've white listed do show up in the HOME_NET variable of snort.conf, but I get my external DNS servers and my second external adapter blacklisted while snort is running.
pfsense is plugged into a hub that splits the connection from my cable modem and goes to pfSense, and my wifi router/dmz.
I keep seeing snort alerts for
(snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0! [ ** ]
03/06-21:50:51.235361 [removed for privacy] -> [removed for privacy]
ICMP TTL:64 TOS:0x0 ID:19164 IpLen:20 DgmLen:56 DF
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:then it will blacklist those ips (even though they are whitelisted)
-
Hmm. Odd. I'll investigate, but so far I haven't seen that issue.
-
Yeah, Issue #1 is the main problem I've been having, next would be Issue #1 whitelisted machines getting blocked.
Issue #1
Each change or update to the config modifies snort.conf and ,/32 is added to the HOME_NET variable, then snort fails to start, manual modifcation to change it to reflect the hosts IP is required (i.e. 10.0.1.2/32) then restart of snort
Issue #2
Snort is blacklisting whitelisted IPs, (namely my DNS servers and an additional server in my DMZ.
This may be something I have to work out on my own, but as stated my setup is
WiFi Router (external IP #1
Cable Modem–-----Hub----<
pfSense/Snotr(external IP #2Snort picks up traffic between the WiFi router (ext IP #1) and things like my DNS servers. this is where I get the error
(snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0! [ ** ]
03/06-21:50:51.235361 [[b]External IP #1] -> [[b]DNS server]
ICMP TTL:64 TOS:0x0 ID:19164 IpLen:20 DgmLen:56 DF
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:Should I just add an additional NIC to pfSense, and rather then go inet,hub,split.. go Inet-> pfSense… thus bridging WAN to OPT1 and OPT2 on pfSense, and plug in my WiFi router into OPT2, giving it full * accesss... ( I don't wanna block anything for WiFi, I want full open access.) Only think is, snort will still function on that network as I'm listening on WAN...
Could I listen on OPT1 instead? or would snort still function?
[snort] OPT1 - Internal network
I.e. inet -> pfsense WAN <
OPT2 - DMZ WiFior would that work?
Rather then
OPT1 - Internal network
inet WAN [snort] <
OPT2 - WiFi DMZ