2.1 and Snort with IPv6



  • First of not sure if this should be in the 2.1 section or packages section but I'll try here first.

    I've been running 2.1 for a few weeks now with Snort without issues however recently I've integrated Charter's IPv6 6RD setup and it is working like a champ. However this has affected my Snort setup and it doesn't want to start anymore. I am getting the following line now when trying to start Snort with my latest configuration:

    
    Nov 10 10:59:14 firewall.localhome.com snort[31863]: FATAL ERROR: /usr/local/etc/snort/snort_58483_em0/snort.conf(17) Failed to parse the IP address: [xx.xxx.xxx.xx/xx,xx.xxx.xxx.x/xx,xxx.xxx.xx.x/xx,xxx.x.x.x,x.x.x.x,x.x.x.x,xxxx:xxx:xxxx:axxx::/,fexx::x:x/xx,xxxx:xxxx:xxxx::xxxx,xxxx:xxxx:xxxx::xxxx,::x].
    
    

    My LAN/WAN setup is attached to the post and I am running 2.1-BETA0 (amd64) built on Fri Nov 9 14:10:59 EST 2012 for the version.

    Any thoughts or ideas to fix this by chance? Thanks in advance!






  • Its a snort package thing.
    Maybe the list is not generated with the format snort expect for IPv6 need to do some trial and test to find teh right format and let me know.
    At the time i did the implementation it worked though!?



  • @ermal:

    Its a snort package thing.
    Maybe the list is not generated with the format snort expect for IPv6 need to do some trial and test to find teh right format and let me know.
    At the time i did the implementation it worked though!?

    I found the problem and it is a syntax error in the population of the HOME_NET variable. As you compile the list of IPs to protect in the HOME_NET it is including my stf0 interface which in my 6RD implementation comes across as this in the route table:

    
    Internet6:
    Destination                       Gateway                       Flags      Netif Expire
    default                           2602:100:4472:a501::          UGS        stf0
    
    

    Somehow in the building of the HOME_NET the IP is getting setup with a / but no prefix number at the end. If I replace 2602💯4472:a501::/ with 2602💯4472:a501::/64 it works and starts up. But I am not sure what this should be since I am using Charter's configuration which says /32 for the 6rd ipv4 prefix length and /32 for the 6rd prefix.

    Thoughts?



  • Bump.

    Any thoughts?



  • Am I the only one seeing this issue? Can someone with a 6RD setup comment on their snort success please?


Locked