Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
So in short, clicking the "release" icon in alerts tab, insert it in the suppress page with SID and SRC IP.
I understand now. Thanks for the explanation and screen shots. I will add it to my list of stuff.
By the way, I have the RULES tab scrolling issue solved you asked about, but I'm not 100% happy with the result. I will wait and collect up a batch of improvements before posting another Pull Request for Ermal, but I have this working in my testing box. After clicking the icon to enable or disable a SID, when the page returns, it scrolls the last clicked SID to the top of the page. The ugly part is, for now, it's scrolling the headers and other stuff above the list of rules up out of view. I have some ideas to make that prettier: if I can get the Javascript working for me.
-
Allright! Let me know if I shall test something!
-
Once again Snort blocked the renewed WAN IP while it was restarting.
The block happen at 2013-01-26 00:52:58
So fxp0 get DOWN, and UP.
Snort start.
A new IP is acquired before snort finishes. At some point the WAN IP is triggering a block
Have to go to Web Interface to remove the block.Probably in real life, the WAN IP being blocked would trigger a WAN IP down and a reconnect after a while so things might fall back to normal without user intervention.
2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: authorization failed 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: parameter negotiation failed 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Opened --> Stopping 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendTerminateReq #33 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerDown 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] rec'd proto PAP during terminate phase 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Terminate Request #16 (Stopping) 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendTerminateAck #34 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Terminate Ack #33 (Stopping) 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Stopping --> Stopped 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerFinish 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection closed 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Stopped --> Starting 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerStart 2013-01-26 00:48:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 5 in 1 seconds 2013-01-26 00:48:54 Local0.Info 172.24.42.254 pf: 00:00:13.500188 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19195, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:48:54 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 85.159.232.71.16559: Flags [R.], cksum 0xdbf7 (correct), seq 4, ack 1, win 0, length 0 2013-01-26 00:48:54 Local0.Info 172.24.42.254 pf: 00:00:00.711106 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19199, offset 0, flags [DF], proto TCP (6), length 1462) 2013-01-26 00:48:54 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 50.21.136.80.57268: Flags [P.], ack 1, win 64282, length 1422 2013-01-26 00:48:55 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 5 2013-01-26 00:48:55 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:48:58 Local0.Info 172.24.42.254 pf: 00:00:03.656082 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19224, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:48:58 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 69.200.231.126.54005: Flags [R.], cksum 0x6dcd (correct), seq 4, ack 1, win 0, length 0 2013-01-26 00:49:04 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-26 00:49:04 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:49:04 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:49:04 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 6 in 4 seconds 2013-01-26 00:49:05 Local0.Info 172.24.42.254 pf: 00:00:07.367220 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19321, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:49:05 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 175.136.38.76.57162: Flags [R.], cksum 0xde42 (correct), seq 4, ack 1, win 0, length 0 2013-01-26 00:49:06 Local0.Info 172.24.42.254 pf: 00:00:00.414099 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19327, offset 0, flags [DF], proto TCP (6), length 58) 2013-01-26 00:49:06 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 182.53.13.45.47411: Flags [P.], cksum 0x4716 (correct), ack 1, win 258, length 18 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 6 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: PPPoE: rec'd ACNAME "bas10-montreal02" 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection successful 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: UP event 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Up event 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Starting --> Req-Sent 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #35 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 508b1152 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #119 (Req-Sent) 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 7e193a28 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #119 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 7e193a28 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #35 (Ack-Sent) 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 508b1152 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-26 00:49:09 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-26 00:49:09 Local0.Info 172.24.42.254 pf: 00:00:03.593613 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19353, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:49:09 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 46.116.44.44.63832: Flags [R.], cksum 0x00e4 (correct), seq 4, ack 1, win 0, length 0 2013-01-26 00:49:11 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:11 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #2 len: 31 2013-01-26 00:49:13 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:13 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #3 len: 31 2013-01-26 00:49:13 Local0.Info 172.24.42.254 pf: 00:00:03.614018 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 11881, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:49:13 Local0.Info 172.24.42.254 pf: 172.24.48.84.58311 > 199.16.156.104.80: Flags [R.], cksum 0x87e3 (correct), seq 1, ack 1, win 0, length 0 2013-01-26 00:49:15 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:15 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #4 len: 31 2013-01-26 00:49:17 Auth.Emerg 172.24.42.254 php: /index.php: Successful webConfigurator login for user 'admin' from 172.24.48.84 2013-01-26 00:49:17 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:17 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #5 len: 31 2013-01-26 00:49:27 Local0.Info 172.24.42.254 pf: 00:00:14.515424 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19543, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:49:27 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 182.53.13.45.47411: Flags [F.], cksum 0x6825 (correct), seq 18, ack 1, win 258, length 0 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: Multi-link PPP daemon for FreeBSD 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: process 15018 started, version 5.5 (root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org 10:25 12-Oct-2011) 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: waiting for process 318 to die... 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: caught fatal signal term 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: [wan] IFACE: Close event 2013-01-26 00:49:29 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Close event 2013-01-26 00:49:31 Daemon.Info 172.24.42.254 ppp: [wan] Bundle: Shutdown 2013-01-26 00:49:31 Daemon.Notice 172.24.42.254 snort[20356]: Can't acquire (-1) - The interface went down! 2013-01-26 00:49:31 Kernel.Info 172.24.42.254 kernel: pppoe1: promiscuous mode disabled 2013-01-26 00:49:31 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Shutdown 2013-01-26 00:49:31 Daemon.Info 172.24.42.254 ppp: process 318 terminated 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: last message repeated 2 times 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: web: web is not running 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: [wan] Bundle: Interface ng0 created 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: OPEN event 2013-01-26 00:49:32 Kernel.Info 172.24.42.254 kernel: ng0: changing name to 'pppoe1' 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Open event 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Initial --> Starting 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerStart 2013-01-26 00:49:32 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:49:32 Daemon.Notice 172.24.42.254 snort[20356]: =============================================================================== 2013-01-26 00:49:32 Daemon.Notice 172.24.42.254 snort[20356]: Packet I/O Totals: ... 2013-01-26 00:49:33 Daemon.Notice 172.24.42.254 snort[20356]: Snort exiting 2013-01-26 00:49:41 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-26 00:49:41 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:49:41 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:49:41 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 1 in 3 seconds 2013-01-26 00:49:44 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 1 2013-01-26 00:49:44 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' ... 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: PPPoE: rec'd ACNAME "bas10-montreal02" 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection successful 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: UP event 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Up event 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Starting --> Req-Sent 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #1 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM b58c9236 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #49 (Req-Sent) 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 0938ff39 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #49 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 0938ff39 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #1 (Ack-Sent) 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM b58c9236 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-26 00:49:50 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-26 00:49:52 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:52 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #2 len: 31 2013-01-26 00:49:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #3 len: 31 2013-01-26 00:49:54 Local0.Info 172.24.42.254 pf: 00:00:26.839787 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19860, offset 0, flags [DF], proto TCP (6), length 1462) 2013-01-26 00:49:54 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 50.21.136.80.57268: Flags [P.], ack 1, win 64282, length 1422 2013-01-26 00:49:56 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:56 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #4 len: 31 2013-01-26 00:49:58 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:49:58 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #5 len: 31 2013-01-26 00:50:00 Cron.Info 172.24.42.254 /usr/sbin/cron[60577]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc) 2013-01-26 00:50:06 Local0.Info 172.24.42.254 pf: 00:00:11.449275 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19990, offset 0, flags [DF], proto TCP (6), length 58) 2013-01-26 00:50:06 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 182.53.13.45.47411: Flags [FP.], cksum 0x4715 (correct), seq 0:18, ack 1, win 258, length 18 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: authorization timer expired 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: authorization failed 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: parameter negotiation failed 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Opened --> Stopping 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendTerminateReq #2 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerDown 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Terminate Ack #2 (Stopping) 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Stopping --> Stopped 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerFinish 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection closed 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Stopped --> Starting 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerStart 2013-01-26 00:50:30 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 2 in 4 seconds 2013-01-26 00:50:34 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 2 2013-01-26 00:50:34 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:50:43 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-26 00:50:43 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:50:43 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:50:43 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 3 in 1 seconds 2013-01-26 00:50:44 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 3 2013-01-26 00:50:44 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:50:53 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-26 00:50:53 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:50:53 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:50:53 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 4 in 1 seconds 2013-01-26 00:50:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 4 2013-01-26 00:50:54 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:51:03 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-26 00:51:03 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:51:03 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:51:03 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 5 in 2 seconds 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 5 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: PPPoE: rec'd ACNAME "bas10-montreal02" 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection successful 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: UP event 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Up event 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Starting --> Req-Sent 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #3 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:51:05 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 5baa10da 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #124 (Req-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 547556ca 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #124 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 547556ca 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #3 (Ack-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 5baa10da 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #1 (Opened) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1462 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 547556ca 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerDown 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #4 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 5baa10da 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #1 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1462 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 547556ca 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Opened --> Ack-Sent 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #4 (Ack-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 5baa10da 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: rec'd ACK #1 len: 5 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: authorization successful 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Matched action 'bundle "wan" ""' 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Join bundle "wan" 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Open event 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Initial --> Starting 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerStart 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Up event 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Starting --> Req-Sent 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #1 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 0.0.0.0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 0.0.0.0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 0.0.0.0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Request #0 (Req-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 10.249.0.3 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] 10.249.0.3 is OK 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigAck #0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 10.249.0.3 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Req-Sent --> Ack-Sent 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Reject #1 (Ack-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #2 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 0.0.0.0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 0.0.0.0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 0.0.0.0 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Nak #2 (Ack-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 50.21.131.246 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] 50.21.131.246 is OK 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.249.0.3 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #3 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 50.21.131.246 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.249.0.3 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Ack #3 (Ack-Sent) 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 50.21.131.246 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.249.0.3 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Ack-Sent --> Opened 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerUp 2013-01-26 00:51:06 Daemon.Info 172.24.42.254 ppp: [wan] 50.21.131.246 -> 10.249.0.3 2013-01-26 00:51:07 Local0.Info 172.24.42.254 pf: 00:01:00.004327 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20475, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-26 00:51:07 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 182.53.13.45.47411: Flags [R.], cksum 0x6923 (correct), seq 19, ack 1, win 0, length 0 2013-01-26 00:51:07 User.Notice 172.24.42.254 check_reload_status: Rewriting resolv.conf 2013-01-26 00:51:08 User.Notice 172.24.42.254 check_reload_status: rc.newwanip starting pppoe1 2013-01-26 00:51:08 Daemon.Info 172.24.42.254 ppp: [wan] IFACE: Up event 2013-01-26 00:51:13 User.Warning 172.24.42.254 php: : rc.newwanip: Informational is starting pppoe1. 2013-01-26 00:51:13 User.Warning 172.24.42.254 php: : rc.newwanip: on (IP address: 50.21.131.246) (interface: wan) (real interface: pppoe1). 2013-01-26 00:51:13 User.Warning 172.24.42.254 php: : ROUTING: setting default route to 10.249.0.3 2013-01-26 00:51:13 User.Error 172.24.42.254 apinger: Exiting on signal 15. 2013-01-26 00:51:13 Daemon.Info 172.24.42.254 dnsmasq[63143]: reading /etc/resolv.conf 2013-01-26 00:51:13 Daemon.Info 172.24.42.254 dnsmasq[63143]: using nameserver 24.226.147.201#53 2013-01-26 00:51:13 Daemon.Info 172.24.42.254 dnsmasq[63143]: using nameserver 10.249.0.3#53 2013-01-26 00:51:13 Daemon.Warning 172.24.42.254 dnsmasq[63143]: ignoring nameserver 127.0.0.1 - local interface 2013-01-26 00:51:13 User.Notice 172.24.42.254 check_reload_status: Linkup starting fxp0 2013-01-26 00:51:13 Kernel.Notice 172.24.42.254 kernel: fxp0: link state changed to DOWN 2013-01-26 00:51:14 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-26 00:51:14 User.Error 172.24.42.254 apinger: Starting Alarm Pinger, apinger(34208) 2013-01-26 00:51:19 User.Warning 172.24.42.254 php: : Resyncing OpenVPN instances for interface WAN. 2013-01-26 00:51:19 User.Warning 172.24.42.254 php: : Creating rrd update script 2013-01-26 00:51:20 Daemon.Info 172.24.42.254 ntpd[21789]: Terminating 2013-01-26 00:51:20 User.Warning 172.24.42.254 php: : The command '/usr/bin/killall 'ntpd'' returned exit code '1', the output was 'killall: warning: kill -TERM 20534: No such process' 2013-01-26 00:51:24 User.Error 172.24.42.254 apinger: ALARM: WAN(10.249.0.3) *** down *** 2013-01-26 00:51:34 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-26 00:51:35 User.Warning 172.24.42.254 php: : OpenNTPD is starting up. 2013-01-26 00:51:35 User.Warning 172.24.42.254 php: : pfSense package system has detected an ip change 50.21.133.25 -> ... Restarting packages. 2013-01-26 00:51:35 User.Notice 172.24.42.254 check_reload_status: Starting packages 2013-01-26 00:51:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: no reply to 1 echo request(s) 2013-01-26 00:51:40 User.Warning 172.24.42.254 php: : Restarting/Starting all packages. 2013-01-26 00:51:48 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: no reply to 2 echo request(s) 2013-01-26 00:51:50 User.Notice 172.24.42.254 check_reload_status: Syncing firewall 2013-01-26 00:51:50 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-26 00:51:50 User.Warning 172.24.42.254 php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting. 2013-01-26 00:51:51 User.Notice 172.24.42.254 check_reload_status: Syncing firewall 2013-01-26 00:51:51 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-26 00:51:51 User.Warning 172.24.42.254 php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting. 2013-01-26 00:51:51 User.Warning 172.24.42.254 php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting. 2013-01-26 00:51:51 User.Notice 172.24.42.254 check_reload_status: Linkup starting fxp0 2013-01-26 00:51:51 Kernel.Notice 172.24.42.254 kernel: fxp0: link state changed to UP 2013-01-26 00:51:52 User.Warning 172.24.42.254 php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting. 2013-01-26 00:51:58 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: no reply to 3 echo request(s) 2013-01-26 00:52:07 Daemon.Info 172.24.42.254 SnortStartup[27729]: Snort STOP For Wan Snort(18203_pppoe1)... 2013-01-26 00:52:08 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: no reply to 4 echo request(s) 2013-01-26 00:52:09 Daemon.Info 172.24.42.254 SnortStartup[29350]: Snort STOP For Lan(53096_bridge0)... 2013-01-26 00:52:09 Cron.Info 172.24.42.254 /usr/sbin/cron[30517]: (CRON) DEATH (cron already running, pid: 35579) 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: Found pid path directive (/var/run) 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: Running in IDS mode 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: --== Initializing Snort ==-- 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: Initializing Output Plugins! 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: Initializing Preprocessors! 2013-01-26 00:52:09 Daemon.Notice 172.24.42.254 snort[31229]: Initializing Plug-ins! ... 2013-01-26 00:52:10 Daemon.Notice 172.24.42.254 snort[31229]: Gzip Decompress Depth: 65535 2013-01-26 00:52:10 Daemon.Error 172.24.42.254 snort[21578]: *** Caught Term-Signal 2013-01-26 00:52:10 Daemon.Notice 172.24.42.254 snort[31229]: DEFAULT SERVER CONFIG: 2013-01-26 00:52:10 Kernel.Info 172.24.42.254 kernel: bridge0: promiscuous mode disabled 2013-01-26 00:52:10 Daemon.Notice 172.24.42.254 snort[31229]: Server profile: All 2013-01-26 00:52:10 Daemon.Notice 172.24.42.254 snort[31229]: Ports (PAF): 80 901 3128 8080 9000 2013-01-26 00:52:10 Daemon.Notice 172.24.42.254 snort[31229]: Server Flow Depth: 300 ... 2013-01-26 00:52:11 Daemon.Notice 172.24.42.254 snort[21578]: Server seg reassembled: 0 2013-01-26 00:52:11 Daemon.Notice 172.24.42.254 snort[21578]: =============================================================================== 2013-01-26 00:52:11 Daemon.Error 172.24.42.254 snort[21578]: Could not remove pid file /var/run/snort_bridge053096.pid: No such file or directory 2013-01-26 00:52:11 Daemon.Notice 172.24.42.254 snort[21578]: Snort exiting 2013-01-26 00:52:14 User.Error 172.24.42.254 apinger: Error while feeding rrdtool: Broken pipe 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: no reply to 5 echo request(s) 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: peer not responding to echo requests 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Opened --> Stopping 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Leave bundle "wan" 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] Bundle: Status update: up 0 links, total bandwidth 9600 bps 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Close event 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Opened --> Closing 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendTerminateReq #4 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerDown 2013-01-26 00:52:18 User.Notice 172.24.42.254 ppp-linkdown: Removing states from 50.21.131.246/32 2013-01-26 00:52:18 User.Notice 172.24.42.254 ppp-linkdown: Removing states to 10.249.0.3 2013-01-26 00:52:18 User.Notice 172.24.42.254 check_reload_status: Rewriting resolv.conf 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IFACE: Down event 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Down event 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerFinish 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] Bundle: No NCPs left. Closing links... 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Closing --> Initial 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendTerminateReq #5 2013-01-26 00:52:18 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerDown 2013-01-26 00:52:20 User.Notice 172.24.42.254 check_reload_status: Linkup starting fxp0 2013-01-26 00:52:20 Kernel.Notice 172.24.42.254 kernel: fxp0: link state changed to DOWN 2013-01-26 00:52:20 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendTerminateReq #6 2013-01-26 00:52:21 User.Notice 172.24.42.254 check_reload_status: Linkup starting fxp0 2013-01-26 00:52:21 Kernel.Notice 172.24.42.254 kernel: fxp0: link state changed to UP 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Stopping --> Stopped 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerFinish 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection closed 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Stopped --> Starting 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerStart 2013-01-26 00:52:22 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 1 in 2 seconds 2013-01-26 00:52:24 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 1 2013-01-26 00:52:24 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:52:26 Daemon.Info 172.24.42.254 dnsmasq[63143]: reading /etc/resolv.conf 2013-01-26 00:52:26 Daemon.Warning 172.24.42.254 dnsmasq[63143]: ignoring nameserver 127.0.0.1 - local interface 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: 12108 Snort rules read 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: 11703 detection rules 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: 142 decoder rules 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: 263 preprocessor rules 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: 12108 Option Chains linked into 1615 Chain Headers 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: 0 Dynamic rules 2013-01-26 00:52:26 Daemon.Notice 172.24.42.254 snort[31229]: +++++++++++++++++++++++++++++++++++++++++++++++++++ ... 2013-01-26 00:52:29 Daemon.Notice 172.24.42.254 snort[31229]: WARNING: flowbits key 'ET.MSSQL' is checked but not ever set. 2013-01-26 00:52:29 Daemon.Notice 172.24.42.254 snort[31229]: WARNING: flowbits key 'file.cws' is checked but not ever set. 2013-01-26 00:52:29 Daemon.Notice 172.24.42.254 snort[31229]: 110 out of 1024 flowbits in use. 2013-01-26 00:52:33 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-26 00:52:33 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-26 00:52:33 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-26 00:52:33 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 2 in 2 seconds 2013-01-26 00:52:35 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 2 2013-01-26 00:52:35 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: [ Port Based Pattern Matching Memory ] 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: +-[AC-BNFA Search Info Summary]------------------------------ 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Instances : 638 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Patterns : 58364 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Pattern Chars : 678018 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Num States : 461596 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Num Match States : 51355 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Memory : 10.77Mbytes 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Patterns : 1.98M 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Match Lists : 2.79M 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: | Transitions : 5.84M 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: +------------------------------------------------- 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: [ Number of patterns truncated to 20 bytes: 8688 ] 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: [ Number of null byte prefixed patterns trimmed: 4422 ] 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: pcap DAQ configured to passive. 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: The DAQ version does not support reload. 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: Acquiring network traffic from "pppoe1". 2013-01-26 00:52:35 Daemon.Notice 172.24.42.254 snort[31229]: Initializing daemon mode 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Daemon initialized, signaled parent pid: 31229 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Reload thread starting... 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Reload thread started, thread 0x3d39a040 (1448) 2013-01-26 00:52:36 Daemon.Info 172.24.42.254 SnortStartup[1617]: Snort START For Wan Snort(18203_pppoe1)... 2013-01-26 00:52:36 Kernel.Info 172.24.42.254 kernel: pppoe1: promiscuous mode enabled 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Decoding LoopBack 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Checking PID path... 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: PID path stat checked out ok, PID path set to /var/run 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Writing PID "1448" to file "/var/run/snort_pppoe118203.pid" 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: --== Initialization Complete ==-- 2013-01-26 00:52:36 Daemon.Notice 172.24.42.254 snort[1448]: Commencing packet processing (pid=1448) 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: PPPoE: rec'd ACNAME "bas10-montreal02" 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection successful 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: UP event 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Up event 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Starting --> Req-Sent 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #7 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM d3681604 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #77 (Req-Sent) 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 6bcdb8c1 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #77 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 6bcdb8c1 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #7 (Ack-Sent) 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM d3681604 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-26 00:52:37 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: Found pid path directive (/var/run) 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: Running in IDS mode 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: --== Initializing Snort ==-- 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: Initializing Output Plugins! 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #1 (Opened) 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1462 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 6bcdb8c1 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerDown 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #8 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM d3681604 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #1 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1462 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 6bcdb8c1 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Opened --> Ack-Sent 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #8 (Ack-Sent) 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM d3681604 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "blablabla" 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: Initializing Preprocessors! 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: Initializing Plug-ins! 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: Parsing Rules file "/usr/local/etc/snort/snort_53096_bridge0/snort.conf" 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: rec'd ACK #1 len: 5 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: authorization successful 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Matched action 'bundle "wan" ""' 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Join bundle "wan" 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Open event 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Initial --> Starting 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerStart 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Up event 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Starting --> Req-Sent 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #5 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 0.0.0.0 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 0.0.0.0 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 0.0.0.0 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Request #11 (Req-Sent) 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 10.248.0.9 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] 10.248.0.9 is OK 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigAck #11 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 10.248.0.9 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Req-Sent --> Ack-Sent 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Reject #5 (Ack-Sent) 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #6 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 0.0.0.0 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 0.0.0.0 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 0.0.0.0 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Nak #6 (Ack-Sent) 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 96.43.239.155 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] 96.43.239.155 is OK 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.248.0.9 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #7 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 96.43.239.155 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.248.0.9 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Ack #7 (Ack-Sent) 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 96.43.239.155 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.248.0.9 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Ack-Sent --> Opened 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerUp 2013-01-26 00:52:38 Daemon.Info 172.24.42.254 ppp: [wan] 96.43.239.155 -> 10.248.0.9 2013-01-26 00:52:38 User.Notice 172.24.42.254 check_reload_status: Rewriting resolv.conf 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: PortVar 'DNS_PORTS' defined : 2013-01-26 00:52:38 Daemon.Notice 172.24.42.254 snort[2994]: [ 53 ] ... 013-01-26 00:52:39 Daemon.Notice 172.24.42.254 snort[2994]: 2013-01-26 00:52:39 Daemon.Notice 172.24.42.254 snort[2994]: +++++++++++++++++++++++++++++++++++++++++++++++++++ 2013-01-26 00:52:39 Daemon.Notice 172.24.42.254 snort[2994]: Initializing rule chains... 2013-01-26 00:52:39 User.Notice 172.24.42.254 check_reload_status: rc.newwanip starting pppoe1 2013-01-26 00:52:39 Daemon.Info 172.24.42.254 ppp: [wan] IFACE: Up event 2013-01-26 00:52:39 Daemon.Notice 172.24.42.254 snort[2994]: WARNING: /usr/local/etc/snort/snort_53096_bridge0/rules/snort.rules(536) threshold (in rule) is deprecated; use detection_filter instead. 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: 00:01:33.546462 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 249, id 41060, offset 0, flags [none], proto UDP (17), length 268) 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: 64.18.71.226.500 > 96.43.239.155.500: isakmp 1.0 msgid : phase 1 I ident: 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: (sa: doi=ipsec situation=identity 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: (p: #1 protoid=isakmp transform=3 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)) 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: (t: #2 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)) 2013-01-26 00:52:40 Local0.Info 172.24.42.254 pf: (t: #3 id=ike (type=enc value=1des)(type=hash value=sha1)(type=group desc value=modp768)(type=auth value=rsa sig)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)))) [|vid] 2013-01-26 00:52:44 User.Warning 172.24.42.254 php: : rc.newwanip: Informational is starting pppoe1. 2013-01-26 00:52:44 User.Warning 172.24.42.254 php: : rc.newwanip: on (IP address: 96.43.239.155) (interface: wan) (real interface: pppoe1). 2013-01-26 00:52:44 User.Warning 172.24.42.254 php: : ROUTING: setting default route to 10.248.0.9 2013-01-26 00:52:44 User.Error 172.24.42.254 apinger: Exiting on signal 15. 2013-01-26 00:52:45 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-26 00:52:45 User.Error 172.24.42.254 apinger: Starting Alarm Pinger, apinger(8518) 2013-01-26 00:52:48 Daemon.Notice 172.24.42.254 snort[2994]: 9531 Snort rules read 2013-01-26 00:52:48 Daemon.Notice 172.24.42.254 snort[2994]: 9126 detection rules ... 2013-01-26 00:52:50 Daemon.Notice 172.24.42.254 snort[2994]: WARNING: flowbits key 'imagesource.redefine' is set but not ever checked. 2013-01-26 00:52:50 Daemon.Notice 172.24.42.254 snort[2994]: WARNING: flowbits key 'file.pdf' is checked but not ever set. 2013-01-26 00:52:50 Daemon.Notice 172.24.42.254 snort[2994]: 82 out of 1024 flowbits in use. 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: 00:00:10.164279 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 249, id 44376, offset 0, flags [none], proto UDP (17), length 268) 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: 64.18.71.226.500 > 96.43.239.155.500: isakmp 1.0 msgid : phase 1 I ident: 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: (sa: doi=ipsec situation=identity 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: (p: #1 protoid=isakmp transform=3 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)) 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: (t: #2 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)) 2013-01-26 00:52:50 Local0.Info 172.24.42.254 pf: (t: #3 id=ike (type=enc value=1des)(type=hash value=sha1)(type=group desc value=modp768)(type=auth value=rsa sig)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)))) [|vid] 2013-01-26 00:52:51 User.Warning 172.24.42.254 php: : Resyncing OpenVPN instances for interface WAN. 2013-01-26 00:52:51 User.Warning 172.24.42.254 php: : Creating rrd update script 2013-01-26 00:52:51 Daemon.Info 172.24.42.254 ntpd[17407]: Terminating 2013-01-26 00:52:51 User.Warning 172.24.42.254 php: : The command '/usr/bin/killall 'ntpd'' returned exit code '1', the output was 'killall: warning: kill -TERM 43483: No such process' 2013-01-26 00:52:51 User.Warning 172.24.42.254 php: : OpenNTPD is starting up. 2013-01-26 00:52:51 User.Warning 172.24.42.254 php: : pfSense package system has detected an ip change 50.21.131.246 -> ... Restarting packages. 2013-01-26 00:52:51 User.Notice 172.24.42.254 check_reload_status: Starting packages 2013-01-26 00:52:51 Daemon.Info 172.24.42.254 dnsmasq[63143]: reading /etc/resolv.conf 2013-01-26 00:52:51 Daemon.Info 172.24.42.254 dnsmasq[63143]: using nameserver 24.226.147.201#53 2013-01-26 00:52:51 Daemon.Info 172.24.42.254 dnsmasq[63143]: using nameserver 10.248.0.9#53 2013-01-26 00:52:51 Daemon.Warning 172.24.42.254 dnsmasq[63143]: ignoring nameserver 127.0.0.1 - local interface 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[2994]: ... 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[2994]: Initializing daemon mode 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Daemon initialized, signaled parent pid: 2994 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Reload thread starting... 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Reload thread started, thread 0x3bded640 (54882) 2013-01-26 00:52:56 Kernel.Info 172.24.42.254 kernel: bridge0: promiscuous mode enabled 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Decoding Ethernet 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Checking PID path... 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: PID path stat checked out ok, PID path set to /var/run 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Writing PID "54882" to file "/var/run/snort_bridge053096.pid" 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: --== Initialization Complete ==-- 2013-01-26 00:52:56 Daemon.Notice 172.24.42.254 snort[54882]: Commencing packet processing (pid=54882) 2013-01-26 00:52:57 User.Warning 172.24.42.254 php: : Restarting/Starting all packages. 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:07.065875 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13863, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13863, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.005788 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13871, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000017 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13871, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000008 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13871, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.043814 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13897, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000040 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13897, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000006 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13897, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.225489 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13918, offset 0, flags [none], proto IGMP (2), length 48, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000033 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13918, offset 0, flags [none], proto IGMP (2), length 48, options (RA)) 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-26 00:52:57 Local0.Info 172.24.42.254 pf: 00:00:00.000007 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13918, offset 0, flags [none], proto IGMP (2), length 48, options (RA)) -
Since I have updated snort with the most recent update, the auto update continues to fail. This is the second day in a row that it has not successfully updated and restarted it self. If I manually do updates or restart the service all is good. It seems to be starting too soon and kicking up empty rules directories and errors out. I didnt have this problem on the previous version and I know there was a fix implemented for it to reload in a certain way. Did this somehow get reverted?
-
I have issues as well….
-
I will take a look at the UPDATES errors.
The other post about blocking the WAN IP when it changes (PPPoE, I think was the poster's connection) might be a bit tougher to resolve. Will look into it, though.
Bill
-
I made some fixes and bumped the snort version so check it out
-
How many of Bills improvements have you incorporated Ermal??
-
I made fixes that might fix the issue on wan ip changing.
Supermule,
all he submitted and corrected some issues with it.
Why you asking? -
Just curious :)
I think he is doing a good job with this package! Thanks for the bump of package.
Everything seems to be running fine in this end :)
-
He did exactly what i wanted to do.
I corrected some issues on his code with the latest fixes mostly for preventing foot-shooting during update.It just misses to select rules based on enabled preprocessors and it should be fairly stable in that regard.
I just pushed a patch to silence the damn snort with its thousands log entries during startup and left just the error/fatal messages.
When it gets recompiled it would be easier to even read syslog and the errors of the pacakge. -
Thanks Ermal! Much appreciated :)
Great work both of you!
-
@ermal:
I just pushed a patch to silence the damn snort with its thousands log entries during startup and left just the error/fatal messages.
When it gets recompiled it would be easier to even read syslog and the errors of the pacakge.Thanks Ermal
I see the 2.5.4 available, but there are commits after this, will the version bump again when you get it recompiled or every commit generate a new package?
-
NAh i just pushed the last one which should be it.
I do not plan on committing more on it for now. -
Wow thanks for the quick responses. I will grab the update and give it a shot. You guys are awesome!
-
Ermal's fix and mine passed each other in cyberspace on the way to the servers… ;D
Hopefully the Snort package will be stable for all now with the new features for flowbit resolution and the ability to use Snort VRT pre-defined policies if you want to. The pre-defined policy feature can be very useful to new Snort users, or even casual users, who just want some basic protection. You can enable either the Connectivity or Balanced policy, and then just sort of let it run.
A big shout-out to Ermal for responding quickly and fixing the nasty bug in the rules update. That one got introduced a little over a day ago while adding some robust error checking to the code.
Bill
-
@ermal:
I just pushed a patch to silence the damn snort with its thousands log entries during startup and left just the error/fatal messages.
When it gets recompiled it would be easier to even read syslog and the errors of the pacakge.Thanks so much for this! It was annoying to have the sys log fill every restart.
-
Snort will no longer start: (I changed the IP's below with the asterisks)
Looks like there is no subnet set for the IPv6 address.Jan 27 00:23:21 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)... Jan 27 00:23:21 snort[43598]: FATAL ERROR: /usr/local/etc/snort/snort_51073_em0/snort.conf(6) Failed to parse the IP address: [127.0.0.1,192.168.0.0/16,75.131.*.*,2602:100:*:*::,75.131.*.*/20,2602:100:*:*::/,75.131.112.1,24.159.64.23,4.2.2.4,2607:f428:1::5353:1,2607:f428:2::5353:1,192.168.2.0/24]. Jan 27 00:23:19 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)... Jan 27 00:22:13 check_reload_status: Syncing firewall Jan 27 00:20:54 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)... Jan 27 00:20:54 snort[95541]: FATAL ERROR: /usr/local/etc/snort/snort_51073_em0/snort.conf(6) Failed to parse the IP address: [127.0.0.1,75.131.*.*,2602:100:*:*::,75.131.*.*/20,2602:100:*:*::/,75.131.112.1,24.159.64.23,4.2.2.4,2607:f428:1::5353:1,2607:f428:2::5353:1,192.168.2.0/24]. Jan 27 00:20:51 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)... -
Updated snort today, now it does not start. Error is…
snort[4286]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
I disabled the bad traffic rules (so and non so) and it still fails to start. reinstalled package again, and no go.. Was working for quite a while. Had not updated for a month, but thought from the thread here that it was stable.
-
Just went for a re-install of Snort 2.9.2.3 pkg v. 2.5.4 ::)
2013-01-27 02:16:43 Auth.Emerg 172.24.42.254 php: /status_rrd_graph.php: Successful webConfigurator login for user 'admin' from 172.24.48.84 2013-01-27 02:16:45 Local0.Info 172.24.42.254 pf: 00:00:02.978226 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 9, id 34704, offset 0, flags [none], proto UDP (17), length 52) 2013-01-27 02:16:45 Local0.Info 172.24.42.254 pf: 68.209.243.115.34612 > 50.21.133.210.33526: UDP, length 24 2013-01-27 02:16:47 Local0.Info 172.24.42.254 pf: 00:00:01.870908 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 52039, offset 0, flags [DF], proto TCP (6), length 83) 2013-01-27 02:16:47 Local0.Info 172.24.42.254 pf: 76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x6769 (correct), seq 3683470708:3683470739, ack 2243077203, win 44064, options [nop,nop,TS val 1236008655 ecr 155036732], length 31 2013-01-27 02:16:48 Local0.Info 172.24.42.254 pf: 00:00:01.152559 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 9, id 34705, offset 0, flags [none], proto UDP (17), length 52) 2013-01-27 02:16:48 Local0.Info 172.24.42.254 pf: 68.209.243.115.34612 > 50.21.133.210.33527: UDP, length 24 2013-01-27 02:16:51 Local0.Info 172.24.42.254 pf: 00:00:03.027552 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 10, id 34706, offset 0, flags [none], proto UDP (17), length 52) 2013-01-27 02:16:51 Local0.Info 172.24.42.254 pf: 68.209.243.115.34612 > 50.21.133.210.33528: UDP, length 24 2013-01-27 02:17:00 Daemon.Notice 172.24.42.254 snort[41717]: S5: Session exceeded configured max bytes to queue 1048576 using 1049922 bytes (client queue). 135.19.140.229 52457 --> 172.24.48.32 18447 (0) : LWstate 0xf LWFlags 0x406007 2013-01-27 02:17:03 User.Error 172.24.42.254 apinger: ALARM: WAN(10.249.0.4) *** delay *** 2013-01-27 02:17:07 Daemon.Notice 172.24.42.254 snort[41717]: S5: Session exceeded configured max bytes to queue 1048576 using 1049226 bytes (server queue). 121.157.96.186 52598 --> 172.24.48.32 18447 (0) : LWstate 0xf LWFlags 0x406007 2013-01-27 02:17:13 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-27 02:17:15 User.Error 172.24.42.254 apinger: alarm canceled: WAN(10.249.0.4) *** delay *** 2013-01-27 02:17:25 User.Notice 172.24.42.254 check_reload_status: Syncing firewall 2013-01-27 02:17:25 User.Notice 172.24.42.254 check_reload_status: Syncing firewall 2013-01-27 02:17:25 Daemon.Error 172.24.42.254 snort[41717]: *** Caught Term-Signal 2013-01-27 02:17:25 Daemon.Error 172.24.42.254 snort[10973]: *** Caught Term-Signal 2013-01-27 02:17:25 Kernel.Info 172.24.42.254 kernel: bridge0: promiscuous mode disabled 2013-01-27 02:17:25 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-27 02:17:25 Kernel.Info 172.24.42.254 kernel: pppoe1: promiscuous mode disabled 2013-01-27 02:17:26 Daemon.Notice 172.24.42.254 snort[41717]: =============================================================================== 2013-01-27 02:17:26 Daemon.Notice 172.24.42.254 snort[41717]: Run time for packet processing was 91065.975548 seconds 2013-01-27 02:17:26 Daemon.Notice 172.24.42.254 snort[41717]: Snort processed 13503818 packets. 2013-01-27 02:17:27 Daemon.Notice 172.24.42.254 snort[10973]: | gen-id=120 sig-id=8 type=Suppress tracking=none filtered=51 2013-01-27 02:17:35 User.Warning 172.24.42.254 php: /pkg_mgr_install.php: Beginning package installation for snort. 2013-01-27 02:17:36 User.Notice 172.24.42.254 check_reload_status: Syncing firewall 2013-01-27 02:17:40 Local0.Info 172.24.42.254 pf: 00:00:48.508720 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 105, id 19829, offset 0, flags [none], proto UDP (17), length 95) 2013-01-27 02:17:40 Local0.Info 172.24.42.254 pf: 71.45.120.110.6112 > 50.21.133.210.3912: UDP, length 67 2013-01-27 02:17:41 Local0.Info 172.24.42.254 pf: 00:00:01.004974 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 26462, offset 0, flags [DF], proto TCP (6), length 360) 2013-01-27 02:17:41 Local0.Info 172.24.42.254 pf: 124.122.251.67.50603 > 172.24.48.32.18447: Flags [FP.], seq 0:308, ack 1, win 8460, options [nop,nop,TS val 855935432 ecr 155013193], length 308 2013-01-27 02:17:51 User.Error 172.24.42.254 apinger: ALARM: WAN(10.249.0.4) *** delay *** 2013-01-27 02:17:52 Local0.Info 172.24.42.254 pf: 00:00:11.146024 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 357, offset 0, flags [DF], proto TCP (6), length 83) 2013-01-27 02:17:52 Local0.Info 172.24.42.254 pf: 76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x6d33 (correct), seq 0:31, ack 1, win 44064, options [nop,nop,TS val 1236072708 ecr 155036732], length 31 2013-01-27 02:18:00 Cron.Info 172.24.42.254 /usr/sbin/cron[20360]: (*system*) RELOAD (/etc/crontab) 2013-01-27 02:18:01 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-27 02:18:06 User.Warning 172.24.42.254 php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them 2013-01-27 02:18:06 User.Warning 172.24.42.254 php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them 2013-01-27 02:18:06 User.Warning 172.24.42.254 php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them 2013-01-27 02:18:07 User.Warning 172.24.42.254 php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them 2013-01-27 02:18:07 User.Notice 172.24.42.254 check_reload_status: Syncing firewall 2013-01-27 02:18:07 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-27 02:18:08 User.Notice 172.24.42.254 check_reload_status: Syncing firewall 2013-01-27 02:18:15 User.Error 172.24.42.254 apinger: alarm canceled: WAN(10.249.0.4) *** delay *** 2013-01-27 02:18:25 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-27 02:18:45 Local0.Info 172.24.42.254 pf: 00:00:53.416103 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 10930, offset 0, flags [DF], proto TCP (6), length 360) 2013-01-27 02:18:45 Local0.Info 172.24.42.254 pf: 124.122.251.67.50603 > 172.24.48.32.18447: Flags [FP.], seq 0:308, ack 1, win 8460, options [nop,nop,TS val 855936072 ecr 155013193], length 308 2013-01-27 02:18:47 User.Error 172.24.42.254 apinger: ALARM: WAN(10.249.0.4) *** delay *** 2013-01-27 02:18:49 User.Notice 172.24.42.254 check_reload_status: Syncing firewall 2013-01-27 02:18:49 User.Warning 172.24.42.254 php: /snort/snort_interfaces_global.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out! 2013-01-27 02:18:49 User.Warning 172.24.42.254 php: /snort/snort_interfaces_global.php: Could not find the libsf_smtp_preproc file. Snort might error out! 2013-01-27 02:18:49 User.Warning 172.24.42.254 php: /snort/snort_interfaces_global.php: Could not find the libsf_ssl_preproc file. Snort might error out! 2013-01-27 02:18:49 User.Warning 172.24.42.254 php: /snort/snort_interfaces_global.php: Could not find the libsf_dce2_preproc file. Snort might error out! 2013-01-27 02:18:49 User.Warning 172.24.42.254 php: /snort/snort_interfaces_global.php: Could not find the libsf_dns_preproc file. Snort might error out! 2013-01-27 02:18:49 User.Warning 172.24.42.254 php: /snort/snort_interfaces_global.php: Could not find the libsf_pop_preproc file. Snort might error out! 2013-01-27 02:18:49 User.Warning 172.24.42.254 php: /snort/snort_interfaces_global.php: Could not find the libsf_imap_preproc file. Snort might error out! 2013-01-27 02:18:49 User.Warning 172.24.42.254 php: /snort/snort_interfaces_global.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them 2013-01-27 02:18:49 User.Warning 172.24.42.254 php: /snort/snort_interfaces_global.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out! 2013-01-27 02:18:49 User.Warning 172.24.42.254 php: /snort/snort_interfaces_global.php: Could not find the libsf_smtp_preproc file. Snort might error out! 2013-01-27 02:18:49 User.Warning 172.24.42.254 php: /snort/snort_interfaces_global.php: Could not find the libsf_dce2_preproc file. Snort might error out! 2013-01-27 02:18:49 User.Warning 172.24.42.254 php: /snort/snort_interfaces_global.php: Could not find the libsf_dns_preproc file. Snort might error out! 2013-01-27 02:18:49 User.Warning 172.24.42.254 php: /snort/snort_interfaces_global.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them 2013-01-27 02:18:57 User.Error 172.24.42.254 apinger: alarm canceled: WAN(10.249.0.4) *** delay *** 2013-01-27 02:18:57 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-27 02:18:58 Local0.Info 172.24.42.254 pf: 00:00:12.500097 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 7989, offset 0, flags [DF], proto TCP (6), length 83) 2013-01-27 02:18:58 Local0.Info 172.24.42.254 pf: 76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x72fa (correct), seq 0:31, ack 1, win 44064, options [nop,nop,TS val 1236136764 ecr 155036732], length 31 2013-01-27 02:19:00 Cron.Info 172.24.42.254 /usr/sbin/cron[20360]: (*system*) RELOAD (/etc/crontab) 2013-01-27 02:19:06 User.Warning 172.24.42.254 php: /snort/snort_download_rules.php: Snort MD5 Attempts: 1 2013-01-27 02:19:06 User.Warning 172.24.42.254 php: /snort/snort_download_rules.php: There is a new set of Snort.org rules posted. Downloading... 2013-01-27 02:19:07 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-27 02:19:23 User.Error 172.24.42.254 apinger: ALARM: WAN(10.249.0.4) *** delay *** 2013-01-27 02:19:31 User.Error 172.24.42.254 apinger: alarm canceled: WAN(10.249.0.4) *** delay *** 2013-01-27 02:19:33 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-27 02:19:41 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-27 02:19:44 Local0.Info 172.24.42.254 pf: 00:00:46.492618 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34037, offset 0, flags [DF], proto TCP (6), length 98) 2013-01-27 02:19:44 Local0.Info 172.24.42.254 pf: 98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 3864903423, win 131, length 58 2013-01-27 02:19:44 Local0.Info 172.24.42.254 pf: 00:00:00.000044 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34038, offset 0, flags [DF], proto TCP (6), length 67) 2013-01-27 02:19:44 Local0.Info 172.24.42.254 pf: 98.139.218.251.993 > 50.21.133.210.10078: Flags [FP.], cksum 0x0993 (correct), seq 58:85, ack 1, win 131, length 27 2013-01-27 02:19:44 Local0.Info 172.24.42.254 pf: 00:00:00.510370 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34039, offset 0, flags [DF], proto TCP (6), length 98) 2013-01-27 02:19:44 Local0.Info 172.24.42.254 pf: 98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58 2013-01-27 02:19:45 Local0.Info 172.24.42.254 pf: 00:00:01.019304 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34040, offset 0, flags [DF], proto TCP (6), length 98) 2013-01-27 02:19:45 Local0.Info 172.24.42.254 pf: 98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58 2013-01-27 02:19:48 Local0.Info 172.24.42.254 pf: 00:00:02.051460 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34041, offset 0, flags [DF], proto TCP (6), length 98) 2013-01-27 02:19:48 Local0.Info 172.24.42.254 pf: 98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58 2013-01-27 02:19:49 Local0.Info 172.24.42.254 pf: 00:00:01.904027 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 42928, offset 0, flags [DF], proto TCP (6), length 360) 2013-01-27 02:19:49 Local0.Info 172.24.42.254 pf: 124.122.251.67.50603 > 172.24.48.32.18447: Flags [FP.], seq 0:308, ack 1, win 8460, options [nop,nop,TS val 855936712 ecr 155013193], length 308 2013-01-27 02:19:52 Local0.Info 172.24.42.254 pf: 00:00:02.148327 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34042, offset 0, flags [DF], proto TCP (6), length 98) 2013-01-27 02:19:52 Local0.Info 172.24.42.254 pf: 98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58 2013-01-27 02:19:59 User.Warning 172.24.42.254 php: /snort/snort_download_rules.php: Snort Rules Attempts: 1 2013-01-27 02:19:59 User.Warning 172.24.42.254 php: /snort/snort_download_rules.php: There is a new set of Emergingthreats rules posted. Downloading... 2013-01-27 02:20:00 Local0.Info 172.24.42.254 pf: 00:00:08.102416 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34043, offset 0, flags [DF], proto TCP (6), length 98) 2013-01-27 02:20:00 Local0.Info 172.24.42.254 pf: 98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58 2013-01-27 02:20:00 Cron.Info 172.24.42.254 /usr/sbin/cron[24641]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc) 2013-01-27 02:20:02 User.Warning 172.24.42.254 php: /snort/snort_download_rules.php: Emergingthreats rules file update downloaded succsesfully 2013-01-27 02:20:03 Local0.Info 172.24.42.254 pf: 00:00:03.031497 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 41, id 0, offset 0, flags [DF], proto UDP (17), length 441) 2013-01-27 02:20:03 Local0.Info 172.24.42.254 pf: 112.64.146.77.5101 > 50.21.133.210.5060: SIP, length: 413 2013-01-27 02:20:03 Local0.Info 172.24.42.254 pf: <009>OPTIONS sip:100@50.21.133.210 SIP/2.0 2013-01-27 02:20:03 Local0.Info 172.24.42.254 pf: <009>Via: SIP/2.0/UDP 112.64.146.77:5101;branch=z9hG4bK-89865205;rport 2013-01-27 02:20:03 Local0.Info 172.24.42.254 pf: <009>Content-Length: 0 2013-01-27 02:20:03 Local0.Info 172.24.42.254 pf: <009>From: "sipvicious"<sip:100@1.1.1.1>; ta#\0xd5\0x04Q\0xca3\0x04\0x00\0x93\0x00\0x00\0x00\0x93\0x00\0x00\0x00\0x14\0x00\0x00\0x00=\0x02\0x01\0x00bridge0\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x02\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00\0x8aQ\0x00\0x00\0x02\0x00\0x00\0x00E\0x00\0x00S!\0xbb@\0x000\0x06\0xe49L@\0x1c8\0xac\0x180 \0xeb$H\0x0f\0xdb\0x8dMt\0x85\0xb2\0xa4S\0x80\0x19\0xac x\0xd5\0x00\0x00\0x01\0x01\0x08\0x0aI\0xae\0xed`\0x09=\0xac<\0x0b\0x19T\0x1fr\0x0c*I\0xba\0x9ec\0xff\0xc0\0xbc\0xfa\0x14\0xe75\0xf9q\0xc8\0x0a\0xa4\0x96\0xddFT\0x178\0x84\0x0e^ \0xee\0xff\0xd3\0xe6]\0xbe\0xffP\0x18\0x00\0x83bY\0x00\0x00\0x17\0x03\0x01\0x005MT\0xe1H/\0xd7\0x9aN\0xaf\0xf3\0x11\0xd4pA\0x10is\0xa8\0x09;\0x8c\0xa8\0xe8\0xcf\0x81qJw\0xeb^B\0xbc\0x17f\0x07B\0x1b\0x11\0x98v\0xb2+z\0x17F{FV\0xc2\0xc6\0xf0w\0x80\0x00\0x00\0x00\0x00\0x00\0x00\0x00 2013-01-27 02:20:03 Local0.Info 172.24.42.254 pf: 00:00:00.230625 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 8635, offset 0, flags [DF], proto TCP (6), length 83) 2013-01-27 02:20:03 Local0.Info 172.24.42.254 pf: 76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x78d5 (correct), seq 0:31, ack 1, win 44064, options [nop,nop,TS val 1236200800 ecr 155036732], length 31 2013-01-27 02:20:16 Local0.Info 172.24.42.254 pf: 00:00:13.026235 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34044, offset 0, flags [DF], proto TCP (6), length 98) 2013-01-27 02:20:16 Local0.Info 172.24.42.254 pf: 98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58 2013-01-27 02:20:25 User.Warning 172.24.42.254 php: /snort/snort_download_rules.php: Updating rules configuration for: WAN ... 2013-01-27 02:20:29 User.Warning 172.24.42.254 php: /snort/snort_download_rules.php: Updating rules configuration for: LAN ... 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Found pid path directive (/var/run) 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Running in IDS mode 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: --== Initializing Snort ==-- 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Initializing Output Plugins! 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Initializing Preprocessors! 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Initializing Plug-ins! 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Parsing Rules file "/usr/local/etc/snort/snort_18203_pppoe1/snort.conf" 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: PortVar 'DNS_PORTS' defined : 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: [ 53 ] ... 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: PortVar 'MODBUS_PORTS' defined : 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: [ 502 ] 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Detection: 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Search-Method = AC-BNFA-Q 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Search-Method-Optimizations = enabled 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Maximum pattern length = 20 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Found pid path directive (/var/run) 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Tagged Packet Limit: 256 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine... 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine. 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules... 2013-01-27 02:20:32 Daemon.Notice 172.24.42.254 snort[29577]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/bad-traffic.so... 2013-01-27 02:20:32 Daemon.Error 172.24.42.254 snort[29577]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData" 2013-01-27 02:20:32 Daemon.Info 172.24.42.254 SnortStartup[29590]: Snort START For Wan Snort(18203_pppoe1)... 2013-01-27 02:20:34 Daemon.Notice 172.24.42.254 snort[30298]: Found pid path directive (/var/run) 2013-01-27 02:20:34 Daemon.Notice 172.24.42.254 snort[30298]: Running in IDS mode 2013-01-27 02:20:34 Daemon.Notice 172.24.42.254 snort[30298]: 2013-01-27 02:20:34 Daemon.Notice 172.24.42.254 snort[30298]: --== Initializing Snort ==-- 2013-01-27 02:20:34 Daemon.Notice 172.24.42.254 snort[30298]: Initializing Output Plugins! 2013-01-27 02:20:34 Daemon.Notice 172.24.42.254 snort[30298]: Initializing Preprocessors! 2013-01-27 02:20:34 Daemon.Notice 172.24.42.254 snort[30298]: Initializing Plug-ins! 2013-01-27 02:20:34 Daemon.Notice 172.24.42.254 snort[30298]: Parsing Rules file "/usr/local/etc/snort/snort_53096_bridge0/snort.conf" 2013-01-27 02:20:34 Daemon.Notice 172.24.42.254 snort[30298]: PortVar 'DNS_PORTS' defined : 2013-01-27 02:20:34 Daemon.Notice 172.24.42.254 snort[30298]: [ 53 ] ... 2013-01-27 02:20:35 Daemon.Notice 172.24.42.254 snort[30298]: 2013-01-27 02:20:35 Daemon.Notice 172.24.42.254 snort[30298]: Detection: 2013-01-27 02:20:35 Daemon.Notice 172.24.42.254 snort[30298]: Search-Method = AC-BNFA-Q 2013-01-27 02:20:35 Daemon.Notice 172.24.42.254 snort[30298]: Search-Method-Optimizations = enabled 2013-01-27 02:20:35 Daemon.Notice 172.24.42.254 snort[30298]: Maximum pattern length = 20 2013-01-27 02:20:35 Daemon.Notice 172.24.42.254 snort[30298]: Found pid path directive (/var/run) 2013-01-27 02:20:35 Daemon.Notice 172.24.42.254 snort[30298]: Tagged Packet Limit: 256 2013-01-27 02:20:35 Daemon.Notice 172.24.42.254 snort[30298]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine... 2013-01-27 02:20:35 Daemon.Notice 172.24.42.254 snort[30298]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine. 2013-01-27 02:20:35 Daemon.Notice 172.24.42.254 snort[30298]: Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine 2013-01-27 02:20:35 Daemon.Notice 172.24.42.254 snort[30298]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules... 2013-01-27 02:20:35 Daemon.Notice 172.24.42.254 snort[30298]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/bad-traffic.so... 2013-01-27 02:20:35 Daemon.Error 172.24.42.254 snort[30298]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData" 2013-01-27 02:20:35 Daemon.Info 172.24.42.254 SnortStartup[30417]: Snort START For Lan(53096_bridge0)... 2013-01-27 02:20:49 Local0.Info 172.24.42.254 pf: 00:00:32.574901 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34045, offset 0, flags [DF], proto TCP (6), length 98) 2013-01-27 02:20:49 Local0.Info 172.24.42.254 pf: 98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58 2013-01-27 02:20:55 Local0.Info 172.24.42.254 pf: 00:00:05.274322 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 61566, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-27 02:20:55 Local0.Info 172.24.42.254 pf: 124.122.251.67.50603 > 172.24.48.32.18447: Flags [R.], cksum 0x605b (correct), seq 309, ack 1, win 8460, length 0 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: Found pid path directive (/var/run) 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: Running in IDS mode 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: --== Initializing Snort ==-- 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: Initializing Output Plugins! 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: Initializing Preprocessors! 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: Initializing Plug-ins! 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: Parsing Rules file "/usr/local/etc/snort/snort_18203_pppoe1/snort.conf" 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: PortVar 'DNS_PORTS' defined : 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: [ 53 ] 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: ... 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: Detection: 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: Search-Method = AC-BNFA-Q 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: Search-Method-Optimizations = enabled 2013-01-27 02:20:57 Daemon.Notice 172.24.42.254 snort[34948]: Maximum pattern length = 20 2013-01-27 02:20:58 Daemon.Notice 172.24.42.254 snort[34948]: Found pid path directive (/var/run) 2013-01-27 02:20:58 Daemon.Notice 172.24.42.254 snort[34948]: Tagged Packet Limit: 256 2013-01-27 02:20:58 Daemon.Notice 172.24.42.254 snort[34948]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine... 2013-01-27 02:20:58 Daemon.Notice 172.24.42.254 snort[34948]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine. 2013-01-27 02:20:58 Daemon.Notice 172.24.42.254 snort[34948]: Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine 2013-01-27 02:20:58 Daemon.Notice 172.24.42.254 snort[34948]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules... 2013-01-27 02:20:58 Daemon.Notice 172.24.42.254 snort[34948]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/bad-traffic.so... 2013-01-27 02:20:58 Daemon.Error 172.24.42.254 snort[34948]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData" 2013-01-27 02:20:58 Daemon.Info 172.24.42.254 SnortStartup[35000]: Snort START For Wan Snort(18203_pppoe1)... 2013-01-27 02:21:00 Daemon.Notice 172.24.42.254 snort[36232]: Found pid path directive (/var/run) 2013-01-27 02:21:00 Daemon.Notice 172.24.42.254 snort[36232]: Running in IDS mode 2013-01-27 02:21:00 Daemon.Notice 172.24.42.254 snort[36232]: 2013-01-27 02:21:00 Daemon.Notice 172.24.42.254 snort[36232]: --== Initializing Snort ==-- 2013-01-27 02:21:00 Daemon.Notice 172.24.42.254 snort[36232]: Initializing Output Plugins! 2013-01-27 02:21:00 Daemon.Notice 172.24.42.254 snort[36232]: Initializing Preprocessors! 2013-01-27 02:21:00 Daemon.Notice 172.24.42.254 snort[36232]: Initializing Plug-ins! 2013-01-27 02:21:00 Daemon.Notice 172.24.42.254 snort[36232]: Parsing Rules file "/usr/local/etc/snort/snort_53096_bridge0/snort.conf" 2013-01-27 02:21:00 Daemon.Notice 172.24.42.254 snort[36232]: PortVar 'DNS_PORTS' defined : 2013-01-27 02:21:00 Daemon.Notice 172.24.42.254 snort[36232]: [ 53 ]</sip:100@1.1.1.1>No luck
Remove , install, update rules and it started ok
Is there a 'requirement' to have a re-install button? ???
I could live without it ;D
