Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
Is it possible when you release a IP in the "Alerts" section, then its added to a whitelist?
Are you talking about clicking the little "+" icon that adds the GID:SID to the Suppression List, or what do you mean by "release an IP"? Perhaps an example will help me undestand this question better.
The "Blocked" list can be added without alias and it would be nice to have a simple list there instead of creating a very long alias list….
I think you're asking here to be able to directly add an IP address instead of having to jump through the hoops of creating an alias under the Firewall tab. Is this correct? If yes, then I believe this can be easily accomplished.
Bill
-
This is the Alerts tab…
Clicking and releasing the source IP of an alert automatically adds it to a whitelist.
![alerts_whitelist IP.jpg](/public/imported_attachments/1/alerts_whitelist IP.jpg)
![alerts_whitelist IP.jpg_thumb](/public/imported_attachments/1/alerts_whitelist IP.jpg_thumb) -
This is the Suppress tab.
A lot easier to add entries as IP's here than adding an alias.
So could the alias list become the same "look" as the suppress tab?
Would make the entry a lot easier.
-
So in short, clicking the "release" icon in alerts tab, insert it in the suppress page with SID and SRC IP.
-
So in short, clicking the "release" icon in alerts tab, insert it in the suppress page with SID and SRC IP.
I understand now. Thanks for the explanation and screen shots. I will add it to my list of stuff.
By the way, I have the RULES tab scrolling issue solved you asked about, but I'm not 100% happy with the result. I will wait and collect up a batch of improvements before posting another Pull Request for Ermal, but I have this working in my testing box. After clicking the icon to enable or disable a SID, when the page returns, it scrolls the last clicked SID to the top of the page. The ugly part is, for now, it's scrolling the headers and other stuff above the list of rules up out of view. I have some ideas to make that prettier: if I can get the Javascript working for me.
-
Allright! Let me know if I shall test something!
-
Once again Snort blocked the renewed WAN IP while it was restarting.
The block happen at 2013-01-26 00:52:58
So fxp0 get DOWN, and UP.
Snort start.
A new IP is acquired before snort finishes. At some point the WAN IP is triggering a block
Have to go to Web Interface to remove the block.Probably in real life, the WAN IP being blocked would trigger a WAN IP down and a reconnect after a while so things might fall back to normal without user intervention.
2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: authorization failed 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: parameter negotiation failed 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Opened --> Stopping 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendTerminateReq #33 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerDown 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] rec'd proto PAP during terminate phase 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Terminate Request #16 (Stopping) 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendTerminateAck #34 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Terminate Ack #33 (Stopping) 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Stopping --> Stopped 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerFinish 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection closed 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Stopped --> Starting 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerStart 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 5 in 1 seconds 2013-01-26 00:48:54 Local0.Info 172.24.42.254 pf: 00:00:13.500188 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19195, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:48:54 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 85.159.232.71.16559: Flags [R.], cksum 0xdbf7 (correct), seq 4, ack 1, win 0, length 0 2013-01-26 00:48:54 Local0.Info 172.24.42.254 pf: 00:00:00.711106 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19199, offset 0, flags [DF], proto TCP (6), length 1462) 2013-01-26 00:48:54 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 50.21.136.80.57268: Flags [P.], ack 1, win 64282, length 1422 2013-01-26 00:48:55 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 5 2013-01-26 00:48:55 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:48:58 Local0.Info 172.24.42.254 pf: 00:00:03.656082 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19224, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:48:58 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 69.200.231.126.54005: Flags [R.], cksum 0x6dcd (correct), seq 4, ack 1, win 0, length 0 2013-01-26 00:49:04 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-26 00:49:04 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:49:04 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:49:04 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 6 in 4 seconds 2013-01-26 00:49:05 Local0.Info 172.24.42.254 pf: 00:00:07.367220 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19321, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:49:05 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 175.136.38.76.57162: Flags [R.], cksum 0xde42 (correct), seq 4, ack 1, win 0, length 0 2013-01-26 00:49:06 Local0.Info 172.24.42.254 pf: 00:00:00.414099 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19327, offset 0, flags [DF], proto TCP (6), length 58) 2013-01-26 00:49:06 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 182.53.13.45.47411: Flags [P.], cksum 0x4716 (correct), ack 1, win 258, length 18 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 6 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: PPPoE: rec'd ACNAME "bas10-montreal02" 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection successful 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: UP event 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Up event 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Starting --> Req-Sent 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #35 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 508b1152 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #119 (Req-Sent) 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 7e193a28 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #119 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 7e193a28 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #35 (Ack-Sent) 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 508b1152 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-26 00:49:09 Local0.Info 172.24.42.254 pf: 00:00:03.593613 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19353, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:49:09 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 46.116.44.44.63832: Flags [R.], cksum 0x00e4 (correct), seq 4, ack 1, win 0, length 0 2013-01-26 00:49:11 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:11 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #2 len: 31 2013-01-26 00:49:13 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:13 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #3 len: 31 2013-01-26 00:49:13 Local0.Info 172.24.42.254 pf: 00:00:03.614018 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 11881, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:49:13 Local0.Info 172.24.42.254 pf: 172.24.48.84.58311 > 199.16.156.104.80: Flags [R.], cksum 0x87e3 (correct), seq 1, ack 1, win 0, length 0 2013-01-26 00:49:15 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:15 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #4 len: 31 2013-01-26 00:49:17 Auth.Emerg 172.24.42.254 php: /index.php: Successful webConfigurator login for user 'admin' from 172.24.48.84 2013-01-26 00:49:17 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:17 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #5 len: 31 2013-01-26 00:49:27 Local0.Info 172.24.42.254 pf: 00:00:14.515424 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19543, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:49:27 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 182.53.13.45.47411: Flags [F.], cksum 0x6825 (correct), seq 18, ack 1, win 258, length 0 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: Multi-link PPP daemon for FreeBSD 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: process 15018 started, version 5.5 (root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org 10:25 12-Oct-2011) 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: waiting for process 318 to die... 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: caught fatal signal term 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: [wan] IFACE: Close event 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Close event 2013-01-26 00:49:31 Daemon.Info 172.24.42.254 ppp: [wan] Bundle: Shutdown 2013-01-26 00:49:31 Daemon.Notice 172.24.42.254 snort[20356]: Can't acquire (-1) - The interface went down! 2013-01-26 00:49:31 Kernel.Info 172.24.42.254 kernel: pppoe1: promiscuous mode disabled 2013-01-26 00:49:31 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Shutdown 2013-01-26 00:49:31 Daemon.Info 172.24.42.254 ppp: process 318 terminated 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: last message repeated 2 times 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: web: web is not running 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: [wan] Bundle: Interface ng0 created 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: OPEN event 2013-01-26 00:49:32 Kernel.Info 172.24.42.254 kernel: ng0: changing name to 'pppoe1' 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Open event 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Initial --> Starting 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerStart 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:49:32 Daemon.Notice 172.24.42.254 snort[20356]: =============================================================================== 2013-01-26 00:49:32 Daemon.Notice 172.24.42.254 snort[20356]: Packet I/O Totals: ... 2013-01-26 00:49:33 Daemon.Notice 172.24.42.254 snort[20356]: Snort exiting 2013-01-26 00:49:41 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-26 00:49:41 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:49:41 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:49:41 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 1 in 3 seconds 2013-01-26 00:49:44 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 1 2013-01-26 00:49:44 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' ... 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: PPPoE: rec'd ACNAME "bas10-montreal02" 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection successful 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: UP event 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Up event 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Starting --> Req-Sent 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #1 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM b58c9236 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #49 (Req-Sent) 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 0938ff39 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #49 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 0938ff39 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #1 (Ack-Sent) 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM b58c9236 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-26 00:49:52 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:52 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #2 len: 31 2013-01-26 00:49:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #3 len: 31 2013-01-26 00:49:54 Local0.Info 172.24.42.254 pf: 00:00:26.839787 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19860, offset 0, flags [DF], proto TCP (6), length 1462) 2013-01-26 00:49:54 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 50.21.136.80.57268: Flags [P.], ack 1, win 64282, length 1422 2013-01-26 00:49:56 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:56 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #4 len: 31 2013-01-26 00:49:58 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:58 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #5 len: 31 2013-01-26 00:50:00 Cron.Info 172.24.42.254 /usr/sbin/cron[60577]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc) 2013-01-26 00:50:06 Local0.Info 172.24.42.254 pf: 00:00:11.449275 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19990, offset 0, flags [DF], proto TCP (6), length 58) 2013-01-26 00:50:06 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 182.53.13.45.47411: Flags [FP.], cksum 0x4715 (correct), seq 0:18, ack 1, win 258, length 18 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: authorization timer expired 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: authorization failed 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: parameter negotiation failed 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Opened --> Stopping 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendTerminateReq #2 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerDown 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Terminate Ack #2 (Stopping) 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Stopping --> Stopped 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerFinish 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection closed 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Stopped --> Starting 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerStart 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 2 in 4 seconds 2013-01-26 00:50:34 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 2 2013-01-26 00:50:34 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:50:43 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-26 00:50:43 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:50:43 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:50:43 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 3 in 1 seconds 2013-01-26 00:50:44 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 3 2013-01-26 00:50:44 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:50:53 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-26 00:50:53 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:50:53 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:50:53 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 4 in 1 seconds 2013-01-26 00:50:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 4 2013-01-26 00:50:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:51:03 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-26 00:51:03 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:51:03 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:51:03 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 5 in 2 seconds 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 5 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: PPPoE: rec'd ACNAME "bas10-montreal02" 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection successful 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: UP event 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Up event 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Starting --> Req-Sent 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #3 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 5baa10da 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #124 (Req-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 547556ca 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #124 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 547556ca 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #3 (Ack-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 5baa10da 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #1 (Opened) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1462 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 547556ca 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerDown 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #4 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 5baa10da 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #1 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1462 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 547556ca 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Opened --> Ack-Sent 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #4 (Ack-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 5baa10da 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: rec'd ACK #1 len: 5 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: authorization successful 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Matched action 'bundle "wan" ""' 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Join bundle "wan" 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Open event 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Initial --> Starting 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerStart 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Up event 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Starting --> Req-Sent 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #1 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 0.0.0.0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 0.0.0.0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 0.0.0.0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Request #0 (Req-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 10.249.0.3 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] 10.249.0.3 is OK 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigAck #0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 10.249.0.3 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Req-Sent --> Ack-Sent 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Reject #1 (Ack-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #2 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 0.0.0.0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 0.0.0.0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 0.0.0.0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Nak #2 (Ack-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 50.21.131.246 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] 50.21.131.246 is OK 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.249.0.3 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #3 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 50.21.131.246 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.249.0.3 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Ack #3 (Ack-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 50.21.131.246 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.249.0.3 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Ack-Sent --> Opened 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerUp 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] 50.21.131.246 -> 10.249.0.3 2013-01-26 00:51:07 Local0.Info 172.24.42.254 pf: 00:01:00.004327 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20475, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:51:07 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 182.53.13.45.47411: Flags [R.], cksum 0x6923 (correct), seq 19, ack 1, win 0, length 0 2013-01-26 00:51:07 User.Notice 172.24.42.254 check_reload_status: Rewriting resolv.conf 2013-01-26 00:51:08 User.Notice 172.24.42.254 check_reload_status: rc.newwanip starting pppoe1 2013-01-26 00:51:08 Daemon.Info 172.24.42.254 ppp: [wan] IFACE: Up event 2013-01-26 00:51:13 User.Warning 172.24.42.254 php: : rc.newwanip: Informational is starting pppoe1. 2013-01-26 00:51:13 User.Warning 172.24.42.254 php: : rc.newwanip: on (IP address: 50.21.131.246) (interface: wan) (real interface: pppoe1). 2013-01-26 00:51:13 User.Warning 172.24.42.254 php: : ROUTING: setting default route to 10.249.0.3 2013-01-26 00:51:13 User.Error 172.24.42.254 apinger: Exiting on signal 15. 2013-01-26 00:51:13 Daemon.Info 172.24.42.254 dnsmasq[63143]: reading /etc/resolv.conf 2013-01-26 00:51:13 Daemon.Info 172.24.42.254 dnsmasq[63143]: using nameserver 24.226.147.201#53 2013-01-26 00:51:13 Daemon.Info 172.24.42.254 dnsmasq[63143]: using nameserver 10.249.0.3#53 2013-01-26 00:51:13 Daemon.Warning 172.24.42.254 dnsmasq[63143]: ignoring nameserver 127.0.0.1 - local interface 2013-01-26 00:51:13 User.Notice 172.24.42.254 check_reload_status: Linkup starting fxp0 2013-01-26 00:51:13 Kernel.Notice 172.24.42.254 kernel: fxp0: link state changed to DOWN 2013-01-26 00:51:14 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-26 00:51:14 User.Error 172.24.42.254 apinger: Starting Alarm Pinger, apinger(34208) 2013-01-26 00:51:19 User.Warning 172.24.42.254 php: : Resyncing OpenVPN instances for interface WAN. 2013-01-26 00:51:19 User.Warning 172.24.42.254 php: : Creating rrd update script 2013-01-26 00:51:20 Daemon.Info 172.24.42.254 ntpd[21789]: Terminating 2013-01-26 00:51:20 User.Warning 172.24.42.254 php: : The command '/usr/bin/killall 'ntpd'' returned exit code '1', the output was 'killall: warning: kill -TERM 20534: No such process' 2013-01-26 00:51:24 User.Error 172.24.42.254 apinger: ALARM: WAN(10.249.0.3) *** down *** 2013-01-26 00:51:34 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-26 00:51:35 User.Warning 172.24.42.254 php: : OpenNTPD is starting up. 2013-01-26 00:51:35 User.Warning 172.24.42.254 php: : pfSense package system has detected an ip change 50.21.133.25 -> ... Restarting packages. 2013-01-26 00:51:35 User.Notice 172.24.42.254 check_reload_status: Starting packages 2013-01-26 00:51:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: no reply to 1 echo request(s) 2013-01-26 00:51:40 User.Warning 172.24.42.254 php: : Restarting/Starting all packages. 2013-01-26 00:51:48 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: no reply to 2 echo request(s) 2013-01-26 00:51:50 User.Notice 172.24.42.254 check_reload_status: Syncing firewall 2013-01-26 00:51:50 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-26 00:51:50 User.Warning 172.24.42.254 php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting. 2013-01-26 00:51:51 User.Notice 172.24.42.254 check_reload_status: Syncing firewall 2013-01-26 00:51:51 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-26 00:51:51 User.Warning 172.24.42.254 php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting. 2013-01-26 00:51:51 User.Warning 172.24.42.254 php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting. 2013-01-26 00:51:51 User.Notice 172.24.42.254 check_reload_status: Linkup starting fxp0 2013-01-26 00:51:51 Kernel.Notice 172.24.42.254 kernel: fxp0: link state changed to UP 2013-01-26 00:51:52 User.Warning 172.24.42.254 php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting. 2013-01-26 00:51:58 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: no reply to 3 echo request(s) 2013-01-26 00:52:07 Daemon.Info 172.24.42.254 SnortStartup[27729]: Snort STOP For Wan Snort(18203_pppoe1)... 2013-01-26 00:52:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: no reply to 4 echo request(s) 2013-01-26 00:52:09 Daemon.Info 172.24.42.254 SnortStartup[29350]: Snort STOP For Lan(53096_bridge0)... 2013-01-26 00:52:09 Cron.Info 172.24.42.254 /usr/sbin/cron[30517]: (CRON) DEATH (cron already running, pid: 35579) 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: Found pid path directive (/var/run) 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: Running in IDS mode 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: --== Initializing Snort ==-- 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: Initializing Output Plugins! 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: Initializing Preprocessors! 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: Initializing Plug-ins! ... 2013-01-26 00:52:10 Daemon.Notice 172.24.42.254 snort[31229]: Gzip Decompress Depth: 65535 2013-01-26 00:52:10 Daemon.Error 172.24.42.254 snort[21578]: *** Caught Term-Signal 2013-01-26 00:52:10 Daemon.Notice 172.24.42.254 snort[31229]: DEFAULT SERVER CONFIG: 2013-01-26 00:52:10 Kernel.Info 172.24.42.254 kernel: bridge0: promiscuous mode disabled 2013-01-26 00:52:10 Daemon.Notice 172.24.42.254 snort[31229]: Server profile: All 2013-01-26 00:52:10 Daemon.Notice 172.24.42.254 snort[31229]: Ports (PAF): 80 901 3128 8080 9000 2013-01-26 00:52:10 Daemon.Notice 172.24.42.254 snort[31229]: Server Flow Depth: 300 ... 2013-01-26 00:52:11 Daemon.Notice 172.24.42.254 snort[21578]: Server seg reassembled: 0 2013-01-26 00:52:11 Daemon.Notice 172.24.42.254 snort[21578]: =============================================================================== 2013-01-26 00:52:11 Daemon.Error 172.24.42.254 snort[21578]: Could not remove pid file /var/run/snort_bridge053096.pid: No such file or directory 2013-01-26 00:52:11 Daemon.Notice 172.24.42.254 snort[21578]: Snort exiting 2013-01-26 00:52:14 User.Error 172.24.42.254 apinger: Error while feeding rrdtool: Broken pipe 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: no reply to 5 echo request(s) 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: peer not responding to echo requests 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Opened --> Stopping 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Leave bundle "wan" 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] Bundle: Status update: up 0 links, total bandwidth 9600 bps 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Close event 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Opened --> Closing 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendTerminateReq #4 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerDown 2013-01-26 00:52:18 User.Notice 172.24.42.254 ppp-linkdown: Removing states from 50.21.131.246/32 2013-01-26 00:52:18 User.Notice 172.24.42.254 ppp-linkdown: Removing states to 10.249.0.3 2013-01-26 00:52:18 User.Notice 172.24.42.254 check_reload_status: Rewriting resolv.conf 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IFACE: Down event 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Down event 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerFinish 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] Bundle: No NCPs left. Closing links... 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Closing --> Initial 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendTerminateReq #5 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerDown 2013-01-26 00:52:20 User.Notice 172.24.42.254 check_reload_status: Linkup starting fxp0 2013-01-26 00:52:20 Kernel.Notice 172.24.42.254 kernel: fxp0: link state changed to DOWN 2013-01-26 00:52:20 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendTerminateReq #6 2013-01-26 00:52:21 User.Notice 172.24.42.254 check_reload_status: Linkup starting fxp0 2013-01-26 00:52:21 Kernel.Notice 172.24.42.254 kernel: fxp0: link state changed to UP 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Stopping --> Stopped 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerFinish 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection closed 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Stopped --> Starting 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerStart 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 1 in 2 seconds 2013-01-26 00:52:24 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 1 2013-01-26 00:52:24 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:52:26 Daemon.Info 172.24.42.254 dnsmasq[63143]: reading /etc/resolv.conf 2013-01-26 00:52:26 Daemon.Warning 172.24.42.254 dnsmasq[63143]: ignoring nameserver 127.0.0.1 - local interface 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: 12108 Snort rules read 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: 11703 detection rules 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: 142 decoder rules 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: 263 preprocessor rules 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: 12108 Option Chains linked into 1615 Chain Headers 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: 0 Dynamic rules 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: +++++++++++++++++++++++++++++++++++++++++++++++++++ ... 2013-01-26 00:52:29 Daemon.Notice 172.24.42.254 snort[31229]: WARNING: flowbits key 'ET.MSSQL' is checked but not ever set. 2013-01-26 00:52:29 Daemon.Notice 172.24.42.254 snort[31229]: WARNING: flowbits key 'file.cws' is checked but not ever set. 2013-01-26 00:52:29 Daemon.Notice 172.24.42.254 snort[31229]: 110 out of 1024 flowbits in use. 2013-01-26 00:52:33 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-26 00:52:33 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:52:33 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:52:33 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 2 in 2 seconds 2013-01-26 00:52:35 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 2 2013-01-26 00:52:35 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: [ Port Based Pattern Matching Memory ] 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: +-[AC-BNFA Search Info Summary]------------------------------ 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Instances : 638 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Patterns : 58364 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Pattern Chars : 678018 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Num States : 461596 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Num Match States : 51355 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Memory : 10.77Mbytes 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Patterns : 1.98M 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Match Lists : 2.79M 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Transitions : 5.84M 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: +------------------------------------------------- 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: [ Number of patterns truncated to 20 bytes: 8688 ] 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: [ Number of null byte prefixed patterns trimmed: 4422 ] 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: pcap DAQ configured to passive. 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: The DAQ version does not support reload. 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: Acquiring network traffic from "pppoe1". 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: Initializing daemon mode 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Daemon initialized, signaled parent pid: 31229 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Reload thread starting... 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Reload thread started, thread 0x3d39a040 (1448) 2013-01-26 00:52:36 Daemon.Info 172.24.42.254 SnortStartup[1617]: Snort START For Wan Snort(18203_pppoe1)... 2013-01-26 00:52:36 Kernel.Info 172.24.42.254 kernel: pppoe1: promiscuous mode enabled 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Decoding LoopBack 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Checking PID path... 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: PID path stat checked out ok, PID path set to /var/run 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Writing PID "1448" to file "/var/run/snort_pppoe118203.pid" 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: --== Initialization Complete ==-- 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Commencing packet processing (pid=1448) 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: PPPoE: rec'd ACNAME "bas10-montreal02" 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection successful 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: UP event 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Up event 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Starting --> Req-Sent 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #7 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM d3681604 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #77 (Req-Sent) 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 6bcdb8c1 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #77 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 6bcdb8c1 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #7 (Ack-Sent) 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM d3681604 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: Found pid path directive (/var/run) 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: Running in IDS mode 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: --== Initializing Snort ==-- 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: Initializing Output Plugins! 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #1 (Opened) 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1462 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 6bcdb8c1 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerDown 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #8 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM d3681604 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #1 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1462 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 6bcdb8c1 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Opened --> Ack-Sent 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #8 (Ack-Sent) 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM d3681604 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: Initializing Preprocessors! 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: Initializing Plug-ins! 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: Parsing Rules file "/usr/local/etc/snort/snort_53096_bridge0/snort.conf" 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: rec'd ACK #1 len: 5 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: authorization successful 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Matched action 'bundle "wan" ""' 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Join bundle "wan" 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Open event 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Initial --> Starting 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerStart 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Up event 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Starting --> Req-Sent 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #5 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 0.0.0.0 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 0.0.0.0 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 0.0.0.0 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Request #11 (Req-Sent) 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 10.248.0.9 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] 10.248.0.9 is OK 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigAck #11 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 10.248.0.9 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Req-Sent --> Ack-Sent 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Reject #5 (Ack-Sent) 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #6 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 0.0.0.0 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 0.0.0.0 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 0.0.0.0 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Nak #6 (Ack-Sent) 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 96.43.239.155 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] 96.43.239.155 is OK 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.248.0.9 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #7 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 96.43.239.155 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.248.0.9 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Ack #7 (Ack-Sent) 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 96.43.239.155 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.248.0.9 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Ack-Sent --> Opened 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerUp 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] 96.43.239.155 -> 10.248.0.9 2013-01-26 00:52:38 User.Notice 172.24.42.254 check_reload_status: Rewriting resolv.conf 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: PortVar 'DNS_PORTS' defined : 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: [ 53 ] ... 013-01-26 00:52:39 Daemon.Notice 172.24.42.254 snort[2994]: 2013-01-26 00:52:39 Daemon.Notice 172.24.42.254 snort[2994]: +++++++++++++++++++++++++++++++++++++++++++++++++++ 2013-01-26 00:52:39 Daemon.Notice 172.24.42.254 snort[2994]: Initializing rule chains... 2013-01-26 00:52:39 User.Notice 172.24.42.254 check_reload_status: rc.newwanip starting pppoe1 2013-01-26 00:52:39 Daemon.Info 172.24.42.254 ppp: [wan] IFACE: Up event 2013-01-26 00:52:39 Daemon.Notice 172.24.42.254 snort[2994]: WARNING: /usr/local/etc/snort/snort_53096_bridge0/rules/snort.rules(536) threshold (in rule) is deprecated; use detection_filter instead. 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: 00:01:33.546462 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 249, id 41060, offset 0, flags [none], proto UDP (17), length 268) 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: 64.18.71.226.500 > 96.43.239.155.500: isakmp 1.0 msgid : phase 1 I ident: 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: (sa: doi=ipsec situation=identity 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: (p: #1 protoid=isakmp transform=3 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)) 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: (t: #2 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)) 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: (t: #3 id=ike (type=enc value=1des)(type=hash value=sha1)(type=group desc value=modp768)(type=auth value=rsa sig)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)))) [|vid] 2013-01-26 00:52:44 User.Warning 172.24.42.254 php: : rc.newwanip: Informational is starting pppoe1. 2013-01-26 00:52:44 User.Warning 172.24.42.254 php: : rc.newwanip: on (IP address: 96.43.239.155) (interface: wan) (real interface: pppoe1). 2013-01-26 00:52:44 User.Warning 172.24.42.254 php: : ROUTING: setting default route to 10.248.0.9 2013-01-26 00:52:44 User.Error 172.24.42.254 apinger: Exiting on signal 15. 2013-01-26 00:52:45 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-26 00:52:45 User.Error 172.24.42.254 apinger: Starting Alarm Pinger, apinger(8518) 2013-01-26 00:52:48 Daemon.Notice 172.24.42.254 snort[2994]: 9531 Snort rules read 2013-01-26 00:52:48 Daemon.Notice 172.24.42.254 snort[2994]: 9126 detection rules ... 2013-01-26 00:52:50 Daemon.Notice 172.24.42.254 snort[2994]: WARNING: flowbits key 'imagesource.redefine' is set but not ever checked. 2013-01-26 00:52:50 Daemon.Notice 172.24.42.254 snort[2994]: WARNING: flowbits key 'file.pdf' is checked but not ever set. 2013-01-26 00:52:50 Daemon.Notice 172.24.42.254 snort[2994]: 82 out of 1024 flowbits in use. 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: 00:00:10.164279 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 249, id 44376, offset 0, flags [none], proto UDP (17), length 268) 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: 64.18.71.226.500 > 96.43.239.155.500: isakmp 1.0 msgid : phase 1 I ident: 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: (sa: doi=ipsec situation=identity 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: (p: #1 protoid=isakmp transform=3 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)) 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: (t: #2 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)) 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: (t: #3 id=ike (type=enc value=1des)(type=hash value=sha1)(type=group desc value=modp768)(type=auth value=rsa sig)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)))) [|vid] 2013-01-26 00:52:51 User.Warning 172.24.42.254 php: : Resyncing OpenVPN instances for interface WAN. 2013-01-26 00:52:51 User.Warning 172.24.42.254 php: : Creating rrd update script 2013-01-26 00:52:51 Daemon.Info 172.24.42.254 ntpd[17407]: Terminating 2013-01-26 00:52:51 User.Warning 172.24.42.254 php: : The command '/usr/bin/killall 'ntpd'' returned exit code '1', the output was 'killall: warning: kill -TERM 43483: No such process' 2013-01-26 00:52:51 User.Warning 172.24.42.254 php: : OpenNTPD is starting up. 2013-01-26 00:52:51 User.Warning 172.24.42.254 php: : pfSense package system has detected an ip change 50.21.131.246 -> ... Restarting packages. 2013-01-26 00:52:51 User.Notice 172.24.42.254 check_reload_status: Starting packages 2013-01-26 00:52:51 Daemon.Info 172.24.42.254 dnsmasq[63143]: reading /etc/resolv.conf 2013-01-26 00:52:51 Daemon.Info 172.24.42.254 dnsmasq[63143]: using nameserver 24.226.147.201#53 2013-01-26 00:52:51 Daemon.Info 172.24.42.254 dnsmasq[63143]: using nameserver 10.248.0.9#53 2013-01-26 00:52:51 Daemon.Warning 172.24.42.254 dnsmasq[63143]: ignoring nameserver 127.0.0.1 - local interface 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[2994]: ... 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[2994]: Initializing daemon mode 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Daemon initialized, signaled parent pid: 2994 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Reload thread starting... 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Reload thread started, thread 0x3bded640 (54882) 2013-01-26 00:52:56 Kernel.Info 172.24.42.254 kernel: bridge0: promiscuous mode enabled 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Decoding Ethernet 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Checking PID path... 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: PID path stat checked out ok, PID path set to /var/run 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Writing PID "54882" to file "/var/run/snort_bridge053096.pid" 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: --== Initialization Complete ==-- 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Commencing packet processing (pid=54882) 2013-01-26 00:52:57 User.Warning 172.24.42.254 php: : Restarting/Starting all packages. 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:07.065875 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13863, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13863, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.005788 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13871, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000017 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13871, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000008 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13871, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.043814 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13897, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000040 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13897, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000006 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13897, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.225489 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13918, offset 0, flags [none], proto IGMP (2), length 48, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000033 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13918, offset 0, flags [none], proto IGMP (2), length 48, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000007 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13918, offset 0, flags [none], proto IGMP (2), length 48, options (RA))
-
Since I have updated snort with the most recent update, the auto update continues to fail. This is the second day in a row that it has not successfully updated and restarted it self. If I manually do updates or restart the service all is good. It seems to be starting too soon and kicking up empty rules directories and errors out. I didnt have this problem on the previous version and I know there was a fix implemented for it to reload in a certain way. Did this somehow get reverted?
-
I have issues as well….
-
I will take a look at the UPDATES errors.
The other post about blocking the WAN IP when it changes (PPPoE, I think was the poster's connection) might be a bit tougher to resolve. Will look into it, though.
Bill
-
I made some fixes and bumped the snort version so check it out
-
How many of Bills improvements have you incorporated Ermal??
-
I made fixes that might fix the issue on wan ip changing.
Supermule,
all he submitted and corrected some issues with it.
Why you asking? -
Just curious :)
I think he is doing a good job with this package! Thanks for the bump of package.
Everything seems to be running fine in this end :)
-
He did exactly what i wanted to do.
I corrected some issues on his code with the latest fixes mostly for preventing foot-shooting during update.It just misses to select rules based on enabled preprocessors and it should be fairly stable in that regard.
I just pushed a patch to silence the damn snort with its thousands log entries during startup and left just the error/fatal messages.
When it gets recompiled it would be easier to even read syslog and the errors of the pacakge. -
Thanks Ermal! Much appreciated :)
Great work both of you!
-
@ermal:
I just pushed a patch to silence the damn snort with its thousands log entries during startup and left just the error/fatal messages.
When it gets recompiled it would be easier to even read syslog and the errors of the pacakge.Thanks Ermal
I see the 2.5.4 available, but there are commits after this, will the version bump again when you get it recompiled or every commit generate a new package?
-
NAh i just pushed the last one which should be it.
I do not plan on committing more on it for now. -
Wow thanks for the quick responses. I will grab the update and give it a shot. You guys are awesome!
-
Ermal's fix and mine passed each other in cyberspace on the way to the servers… ;D
Hopefully the Snort package will be stable for all now with the new features for flowbit resolution and the ability to use Snort VRT pre-defined policies if you want to. The pre-defined policy feature can be very useful to new Snort users, or even casual users, who just want some basic protection. You can enable either the Connectivity or Balanced policy, and then just sort of let it run.
A big shout-out to Ermal for responding quickly and fixing the nasty bug in the rules update. That one got introduced a little over a day ago while adding some robust error checking to the code.
Bill