Snort & PPPoE: Snort refuses to start(?)



  • (I originally posted my problem into an existing Snort thread (http://forum.pfsense.org/index.php/topic,61651.new.html#new), but per suggestion to keep that thread from 'meandering' into several unintended directions, I am moving my post out of that thread into this own thread).

    Thank you for the instructions, Bill  ;D

    My problem is the same: after upgrading PFS to 2.0.3. Snort didn't start. So I reinstalled the package (via the GUI/packages/reinstall). This upgraded Snort to the latest. It still doesn't start.

    The system log (from the GUI, I don't know where to look from the command line  :-[) shows nothing:

    [code]
    Apr 27 10:31:37 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 27 10:31:36 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 27 10:31:34 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …

    I have done everything you suggest right above:

    The killall instructions you gave return nothing:

    
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(2): /usr/bin/killall snort
    No matching processes were found
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(3): ps -ax | grep snort
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(4):
    
    

    I can press as many times 'start' (the green icon) as I want to, it stays green and also the dashboard service widget shows all packages running except for Snort; that is stopped, and starting it from that dashboard widget also doesn't make it run. Starting it from the shell:

    
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(8): /usr/local/etc/rc.d/snort.sh start
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(9):
    
    

    Also doesn't do anything. It shows this:

    
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(10):  ps -ax | grep snort
    55501   0  R+     0:00.00 grep snort
    
    

    (I don't know what that means).

    But in the GUI Snort is still stopped.

    And now for the most stupid question of all ( :-[): I am trying to get the  /usr/local/etc/rc.d/snort.sh file to attach here, but how do I get it from my PFS while using putty from within W7? I can see it (using ee, I can't remember the vi commands  ;D), but the lines are too long to copy and paste it properly in here, even with wide screen 24" (let alone that I think you would prefer to have these large  lines of code into an attachment?).

    And for a slightly less stupid (but still not the brightest  :-[) question: is there another Snort log I should look into (via the shell) in addition to the general system log in the GUI?

    Thank you very much for any help  ;D

    EDIT: snort.sh added (with .txt).

    snort.sh.txt



  • @bmeeks:

    @Hollander:

    The killall instructions you gave return nothing:

    
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(2): /usr/bin/killall snort
    No matching processes were found
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(3): ps -ax | grep snort
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(4):
    
    

    I can press as many times 'start' (the green icon) as I want to, it stays green and also the dashboard service widget shows all packages running except for Snort; that is stopped, and starting it from that dashboard widget also doesn't make it run. Starting it from the shell:

    
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(8): /usr/local/etc/rc.d/snort.sh start
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(9):
    
    

    (I don't know what that means).

    But in the GUI Snort is still stopped.

    And for a slightly less stupid (but still not the brightest  :-[) question: is there another Snort log I should look into (via the shell) in addition to the general system log in the GUI?

    Thank you very much for any help  ;D

    [/quote]

    I see from the posted snort.sh script that you are running Snort on a PPPoE interface.  I've never done that.  I know within pfSense that's a special kind of interface quite unlike the normal physical interfaces.  Maybe some other users can chime in that may be running Snort successfully on a PPPoE connection.  It could be that PPPoE and Snort don't like each other, but I don't know that for sure.  I've just never encountered that configuration.

    As for your second question relative to logs, there is really just the system log.  You can see part of it in the GUI, or you can go to /var/log/system.log and see it all.  Other than a separate rules update log, there is no separate log file for Snort (aside from the alerts log, but no system startup/error messages get printed there).

    Bill



  • @bmeeks:

    I see from the posted snort.sh script that you are running Snort on a PPPoE interface.  I've never done that.  I know within pfSense that's a special kind of interface quite unlike the normal physical interfaces.  Maybe some other users can chime in that may be running Snort successfully on a PPPoE connection.  It could be that PPPoE and Snort don't like each other, but I don't know that for sure.  I've just never encountered that configuration.

    Bill

    Thank you very much for your reply, Bill  ;D

    I was sort of  :o ??? about your remark about the PPPoE; I thought (but please forgive me, I am a noob) that everybody who is on ADSL/VDSL uses PPPoE? Is there another way?

    Is there something else I should try/can try?

    And, if I may, another question, just for me to try to understand then:

    • Before my upgrades I was on 2.0.2, with the previous Snort, but also (due to a PPPoE-problem in 2.0.2) PFS-WAN got an internal IP (192.168.1.2) from the ISP modem/router (192.168.1.1), and the PFS-LAN was on another subnet.
    • In that situation Snort was running (but wasn't really doing anything useful, as all it did (according to the snort-messages in the dashboard) was telling me about some sort of category-3 events between PFS-WAN and 192.168.1.1 (the ISP-modem/router)).
    • So if I may ask: what was the 'type of connection' PFS-WAN -> ISP-modem/router there then? I mean: surely not the PPPoE which Snort might not like, but what then? And if other people don't use PPPoE but this kind of connection, Snort won't be useful then, will it? (given that it filters PFS-WAN <-> ISP modem/router which in my situation didn't show anything useful).

    Thank you again Bill  ;D



  • @Supermule:

    Could it be related to the fact that you use a private IP as WAN and then Snort doesnt see it because of the definition of home net??

    Thank you for your reply :-)

    No, that was the old situation in 2.0.2, where Snort was at least running. In the new situation, 2.0.3, the PPPoE dial up is fixed so the WAN is now directly the external IP from my ISP. And now Snort refuses to run.



  • You are running version 2.0.3 of pfSense.
    There should be a directory /usr/local/etc/snort/your_snort_sensor and in that directory should be snort.conf
    I would like to see the contents of that file.

    Also would you do in the shell:

    snort -T -i your_pppoe_interface -c /usr/local/etc/snort/your_snort_sensor/snort.conf
    

    This is a test to run your configuration file. The last two lines should look like:

    Snort successfully validated the configuration!
    Snort exiting
    
    

    Or else you can look for irregularities.



  • Thank you very much for your reply, Gogol  :P

    I will do what you are asking for tomorrow: right now 'the guardians of my wife' (my dogs  ;D) are heavily complaining that I am not walking with them. And my wife is complaining that dinner will get cold. Sometimes I wonder: a life without wife and her guardians might be less stressful  ;D ;D ;D


  • Banned

    Always! :D



  • Does anyone else out there have Snort running on pfSense 2.0.x or higher with PPPoE on the interface?  I seem to recall some differences in the way 2.0.x and higher pfSense construct and use the PPPoE interface (markedly different from 1.2.x pfSense, if I recall correctly).  This might be the core of the problem the OP is having with Snort on a PPPoE interface.

    Bill



  • pfSense 2.0.3, Snort 2.9.4.1 pkg v. 2.5.7 Snort, PPPoE interface. Working properly. (of mine)



  • @turker:

    pfSense 2.0.3, Snort 2.9.4.1 pkg v. 2.5.7 Snort, PPPoE interface. Working properly. (of mine)

    Thanks!  I guess that means Snort and PPPoE can be happy together on 2.0.x.  I had a working installation myself back on 1.2.3 some time back, but I had not tried it on 2.0.x.  Prior to my upgrade of pfSense I moved to a cable modem connection for home that uses DHCP on the WAN.  The OP's problem must lie elsewhere, then.

    Bill



  • @turker:

    pfSense 2.0.3, Snort 2.9.4.1 pkg v. 2.5.7 Snort, PPPoE interface. Working properly. (of mine)

    Thank you for this feedback, that is at least promissing  ;D



  • @gogol:

    You are running version 2.0.3 of pfSense.
    There should be a directory /usr/local/etc/snort/your_snort_sensor and in that directory should be snort.conf
    I would like to see the contents of that file.

    Also would you do in the shell:

    snort -T -i your_pppoe_interface -c /usr/local/etc/snort/your_snort_sensor/snort.conf
    

    This is a test to run your configuration file. The last two lines should look like:

    Snort successfully validated the configuration!
    Snort exiting
    
    

    Or else you can look for irregularities.

    Again thank you, Gogol  ;D

    I tried to find what you want to see. The "your_snort_sensor" invokes me to guess what you mean ( :P). I found two directories:

    
    /usr/local/etc/snort/snort_64222_em0/
    /usr/local/etc/snort/snort_64222_pppoe0/
    
    

    I take it these are the 'sensor directories', and you wanted to see the last directories snort.conf. I have attached it.

    The test command did give an error, I have attached the output of that also.

    Thank you again Gogol  ;D

    snort.conf._pppoe.txt
    testrun_log.txt



  • @Hollander:

    I take it these are the 'sensor directories', and you wanted to see the last directories snort.conf. I have attached it.

    The test command did give an error, I have attached the output of that also.

    Thank you again Gogol  ;D

    Here is your problem:

    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains...
    ERROR: /usr/local/etc/snort/snort_64222_pppoe0/rules/snort.rules(1821) Unknown rule option: 'dce_iface'.
    Fatal Error, Quitting..
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(2):
    
    

    This means you have no Preprocessors enabled, but you have enabled rules that need certain Preprocessors in order to function.  I made a post some time back that most users should enable pretty much all the Preprocessors to keep from shooting themselves in the foot.  You need to go to the Preprocessors tab in Snort and check all the boxes in the "General" section EXCEPT for "Sensitive Data". I suggest leaving that one disabled.

    Another alternative on the same tab, but it reduces the effectiveness of Snort, is to check the box that says "Auto-Rule Disable" up near to top.  That will automatically disable rules that need Preprocessors you do not have enabled.  However, this automatic rule disabling can leave your systems less than adquately protected.  It's there, though, for situations like this where the user does not want to have to sort out which Preprocessors are required for certain rules.

    Bill



  • And while I am still on the Preprocessor soapbox –-  ;)

    Be aware that you must be intimately familiar with all the Preprocessors and their rule dependencies if you try to pick and choose which ones to enable.  Also you must understand that on any given update of the Rules from Snort.org or Emerging Threats, formerly disabled rules could become enabled again and thus cause Snort not to restart following the update due to a Preprocessor dependency.

    It's just better in my view, with today's higher-powered CPUs and firewalls with plenty of RAM, to just enable all the Preprocessors.  That way, they are ready for any rule that needs them, and you don't get these FATAL ERRORS on restart because of a disabled Preprocessor.  The only exception I make to this is the Sensitive Data preprocessor.  Some folks don't want all the noise it can generate, so they disable it.  The Snort package will, if the Sensitive Data Preprocessor is disabled, automatically take care of the handful of Preprocessor Rules associated with it.

    Bill



  • Well snort can be patched to skip such rules also.
    I am not sure why the snort guy made this a fatal error rather than a soft error.
    Just skip the rule shouild be normal and warn the user about it!!!

    Maybe it would be something to look at on patching snort wiht this.
    Its better to have a warning and snort running rather than no snort at all and just some cryptic error.


  • Banned

    Exactly!



  • Well, I can sort of see the point from the Sourcefire guys' point of view.  The preprocessors are necessary for many, many rules to function properly.  If Snort just auto-magically ignored such potentially critical configuration errors, users would be blindly unaware that some portion of their rear end was hanging out there exposed… ;D (if you get my drift).  If Snort just started up, who among us will swear to always look at the log file just to see if there were any warnings? ... ;)

    My view is there is no harm in enabling all the preprocessors.  This way you don't get surprised.  In fact, with the latest update to the Snort Package, I made the default condition "enabled" for most of the preprocessors.  The exceptions were the port scan, sensitive data, and SCADA preprocessors.  Unless you run a really frugal box, I don't think there is much overhead in having the extra preprocessors enabled.

    What happened in the OP's case is that the new defaults I set only get used on a new Snort install with no previous saved settings.  I made sure the code respected any previous settings.  That can still bite folks who don't understand how Snort's rules engine and the preprocessors interact.

    If you want a taste of what could happen automatically behind your back with hidden auto-disable logic, run the following test.  Enable the Snort IPS-Security policy and then choose all the Emerging Threats Rules.  You can even throw in Snort GPLv2 if you want.  Make sure your box has at least 4 GB of RAM, though, before you try this test.  After selecting all these rules, go to the Preprocessors tab and uncheck all the preprocessors, click the Auto-Rule Disable checkbox, and then click Save to regenerate the enforcing rules file.  You should see the new View button appear where you can see the disabled rules.  Click that button and have a look at all the Alerts you would not see if Snort automatically ignored or fixed preprocessor dependency errors for you without telling you.

    The number from my test is 15,595 rules auto-disabled from the text rules, and then 50 of the required flowbit-dependent rules were also auto-disabled.  The vast majority of these were from the HTTP_INSPECT preprocessor being disabled, but there are still quite a few tied to the other preprocessors.  So the net result is 15,645 rules I thought I was using actually would get disabled behind my back if Snort did this by default.

    Bill



  • @ermal:

    Well snort can be patched to skip such rules also.
    I am not sure why the snort guy made this a fatal error rather than a soft error.
    Just skip the rule shouild be normal and warn the user about it!!!

    Maybe it would be something to look at on patching snort wiht this.
    Its better to have a warning and snort running rather than no snort at all and just some cryptic error.

    But then people might think that Snort is protecting their system.
    I agree with Bill to enable by default most preprocessors. People can always disable them and you have to suppose that they know what they are doing. ;)

    Furthermore:

    Here is your problem:

    Code:
    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains…
    ERROR: /usr/local/etc/snort/snort_64222_pppoe0/rules/snort.rules(1821) Unknown rule option: 'dce_iface'.
    Fatal Error, Quitting..
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(2):

    Bill is soooooo fast!



  • @bmeeks:

    Here is your problem:

    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains...
    ERROR: /usr/local/etc/snort/snort_64222_pppoe0/rules/snort.rules(1821) Unknown rule option: 'dce_iface'.
    Fatal Error, Quitting..
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(2):
    
    

    This means you have no Preprocessors enabled, but you have enabled rules that need certain Preprocessors in order to function.  I made a post some time back that most users should enable pretty much all the Preprocessors to keep from shooting themselves in the foot.  You need to go to the Preprocessors tab in Snort and check all the boxes in the "General" section EXCEPT for "Sensitive Data". I suggest leaving that one disabled.

    Another alternative on the same tab, but it reduces the effectiveness of Snort, is to check the box that says "Auto-Rule Disable" up near to top.  That will automatically disable rules that need Preprocessors you do not have enabled.  However, this automatic rule disabling can leave your systems less than adquately protected.  It's there, though, for situations like this where the user does not want to have to sort out which Preprocessors are required for certain rules.

    Bill

    Thank you very, very, very much Bill; this appeared to be the problem; all is working well again. Thank you for helping me  ;D



  • @Hollander:

    Thank you very, very, very much Bill; this appeared to be the problem; all is working well again. Thank you for helping me  ;D

    You are welcome.  The next Snort package that comes out will have some better "default behaviors" baked in with regards to these pesky preprocessors – at least on new, green-field installs.  For users with saved Snort settings that already had preprocessors explicitly disabled, they will still need to turn them on manually.

    Bill



  • Greetings, I hope you're all well. I registered to address that I have the same issue, however I don't use PPPoE and also have all the preprocessors ticked except the Sensitive Data box.

    The issue began after I re-installed the package to allow an update to 2.9.4.1 pkg v. 2.5.7

    The only logs coming through are:

    May 15 12:27:32 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    May 15 12:27:37 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    May 15 12:27:48 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    May 15 12:27:52 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN …
    May 15 12:27:56 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN…
    May 15 12:28:07 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for LAN…

    I'm still a relatively novice user but I messed about with the settings to try and get Snort to run but haven't had any luck yet. I appreciate your suggestions. :)



  • @Boags:

    Greetings, I hope you're all well. I registered to address that I have the same issue, however I don't use PPPoE and also have all the preprocessors ticked except the Sensitive Data box.

    The issue began after I re-installed the package to allow an update to 2.9.4.1 pkg v. 2.5.7

    The only logs coming through are:

    May 15 12:27:32 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    May 15 12:27:37 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    May 15 12:27:48 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    May 15 12:27:52 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN …
    May 15 12:27:56 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN…
    May 15 12:28:07 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for LAN…

    I'm still a relatively novice user but I messed about with the settings to try and get Snort to run but haven't had any luck yet. I appreciate your suggestions. :)

    Can you provide a little additional information?

    (1)  What version of pfSense (2.0.x or 2.1)?

    (2)  It would be helpful it you could capture the section of the system log where you start Snort and post it back here.

    Bill



  • @bmeeks:

    @Boags:

    Greetings, I hope you're all well. I registered to address that I have the same issue, however I don't use PPPoE and also have all the preprocessors ticked except the Sensitive Data box.

    The issue began after I re-installed the package to allow an update to 2.9.4.1 pkg v. 2.5.7

    The only logs coming through are:

    May 15 12:27:32 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    May 15 12:27:37 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    May 15 12:27:48 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    May 15 12:27:52 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN …
    May 15 12:27:56 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN…
    May 15 12:28:07 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for LAN…

    I'm still a relatively novice user but I messed about with the settings to try and get Snort to run but haven't had any luck yet. I appreciate your suggestions. :)

    Can you provide a little additional information?

    (1)  What version of pfSense (2.0.x or 2.1)?

    (2)  It would be helpful it you could capture the section of the system log where you start Snort and post it back here.

    Bill

    Hi Bill :)

    Version:
    2.0.3-RELEASE (i386)
    built on Fri Apr 12 10:22:57 EDT 2013
    FreeBSD 8.1-RELEASE-p13

    Here is the full system log after trying to start from the dashboard widget and then individually through Services > Snort:

    May 15 13:38:37 SnortStartup[25558]: Snort STOP for WAN(35288_bge0)…
    May 15 13:38:39 SnortStartup[30300]: Snort STOP for LAN(1238_bge1)…
    May 15 13:38:43 SnortStartup[34726]: Snort START for WAN(35288_bge0)…
    May 15 13:38:45 SnortStartup[36001]: Snort START for LAN(1238_bge1)…
    May 15 13:39:20 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(WAN)...
    May 15 13:39:20 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    May 15 13:39:21 php: /snort/snort_interfaces.php: Toggle (snort starting) for LAN(LAN)...
    May 15 13:39:21 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    May 15 13:39:24 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    May 15 13:39:25 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    May 15 13:39:36 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    May 15 13:39:37 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    May 15 13:39:39 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN …
    May 15 13:39:40 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN …
    May 15 13:39:43 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN…
    May 15 13:39:45 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN…
    May 15 13:39:59 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for LAN…
    May 15 13:40:00 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for LAN…
    May 15 13:40:03 php: /snort/snort_interfaces.php: Snort START for WAN(bge0)...
    May 15 13:40:04 php: /snort/snort_interfaces.php: Snort START for LAN(bge1)...

    Also, some information about the hardware:
    CPU: Intel(R) Atom(TM) CPU D2550 @ 1.86GHz
    4GB RAM

    Thank you :)



  • Probably because pppoe creates a new interface instead of current real_interface applied to WAN

    Instead of bge0, it should be pppoe0

    Maybe changes on  get_real_interface code on snort to test interface type may fix this issue.



  • I also need some help…
    Everything was working fine yesterday and today it seems to have turned it's self off :(

    I tried to look for that snort.conf file you mentioned but for some reason I have 2 pppoe (sensor) folders and neither one has a config file?




  • @Deadringers:

    I also need some help…
    Everything was working fine yesterday and today it seems to have turned it's self off :(

    I tried to look for that snort.conf file you mentioned but for some reason I have 2 pppoe (sensor) folders and neither one has a config file?

    Your dir has pppoe config files but you log shows snort trying on bge0 ???
    Maybe this bug is close to be identified and fixed.



  • @marcelloc:

    @Deadringers:

    I also need some help…
    Everything was working fine yesterday and today it seems to have turned it's self off :(

    I tried to look for that snort.conf file you mentioned but for some reason I have 2 pppoe (sensor) folders and neither one has a config file?

    Your dir has pppoe config files but you log shows snort trying on bge0 ???
    Maybe this bug is close to be identified and fixed.

    did you get me confused with Boags :)



  • hmm well I seem to have "fixed" my issue of snort not launching…

    I completely un-installed snort and then re-installed it.

    working now with all the rules I had before!?



  • @marcelloc:

    Probably because pppoe creates a new interface instead of current real_interface applied to WAN

    Instead of bge0, it should be pppoe0

    Maybe changes on  get_real_interface code on snort to test interface type may fix this issue.

    Not sure how I can change this?

    I did generate additional online gateways (which I can't seem to remove) while creating a static connection before this update, could that be causing issues for snort? - note these additions were a few weeks ago and there were no issues prior to the v. 2.5.7 update. -

    @Deadringers:

    hmm well I seem to have "fixed" my issue of snort not launching…

    I completely un-installed snort and then re-installed it.

    working now with all the rules I had before!?

    I gave un-installing and re-installing a go. That does nothing for me.

    Cheers :)



  • @Boags:

    @marcelloc:

    Probably because pppoe creates a new interface instead of current real_interface applied to WAN

    Instead of bge0, it should be pppoe0

    Maybe changes on  get_real_interface code on snort to test interface type may fix this issue.

    Not sure how I can change this?

    I did generate additional online gateways (which I can't seem to remove) while creating a static connection before this update, could that be causing issues for snort? - note these additions were a few weeks ago and there were no issues prior to the v. 2.5.7 update. -

    @Deadringers:

    hmm well I seem to have "fixed" my issue of snort not launching…

    I completely un-installed snort and then re-installed it.

    working now with all the rules I had before!?

    I gave un-installing and re-installing a go. That does nothing for me.

    Cheers :)

    Determination of the interface on 2.0.x and higher installs with PPPoE gets to be tricky.  I'm no expert on the internal workings of pfSense, but I do remember seeing in the code where one of the previous developers hard-coded a "ng0" interface when the Snort code detects PPPoE.  Perhaps one of the core team developers familiar with how PPPoE maps to interfaces on FreeBSD 8.1 and higher can chime here.  I will be happy to fix the Snort code, but I don't know exactly how best to do that with PPPoE.  I no longer have a PPPoE setup of my own since I abandoned DSL for my residence and switched over to a cable modem connection that uses DHCP.

    Bill



  • @bmeeks:

    @Boags:

    @marcelloc:

    Probably because pppoe creates a new interface instead of current real_interface applied to WAN

    Instead of bge0, it should be pppoe0

    Maybe changes on  get_real_interface code on snort to test interface type may fix this issue.

    Not sure how I can change this?

    I did generate additional online gateways (which I can't seem to remove) while creating a static connection before this update, could that be causing issues for snort? - note these additions were a few weeks ago and there were no issues prior to the v. 2.5.7 update. -

    @Deadringers:

    hmm well I seem to have "fixed" my issue of snort not launching…

    I completely un-installed snort and then re-installed it.

    working now with all the rules I had before!?

    I gave un-installing and re-installing a go. That does nothing for me.

    Cheers :)

    Determination of the interface on 2.0.x and higher installs with PPPoE gets to be tricky.  I'm no expert on the internal workings of pfSense, but I do remember seeing in the code where one of the previous developers hard-coded a "ng0" interface when the Snort code detects PPPoE.  Perhaps one of the core team developers familiar with how PPPoE maps to interfaces on FreeBSD 8.1 and higher can chime here.  I will be happy to fix the Snort code, but I don't know exactly how best to do that with PPPoE.  I no longer have a PPPoE setup of my own since I abandoned DSL for my residence and switched over to a cable modem connection that uses DHCP.

    Bill

    Hi Bill, I also have a cable modem connection that uses DHCP. I've never connected a DSL / PPPoE line to pfSense before.

    Cheers :)



  • @Boags:

    Hi Bill, I also have a cable modem connection that uses DHCP. I've never connected a DSL / PPPoE line to pfSense before.

    Cheers :)

    OK, I think I'm confused.  Did you mean in your original post that you do not think Snort is running?  And according to this last post you have DHCP with a cable modem on the WAN.  If I have those two assumptions, correct, then I'm back on track.  Got sidetracked maybe with the PPPoE stuff ..  ???

    From the log snippet you posted originally, it appears Snort is up and running on two interfaces (LAN and WAN).  Your logs are sorted in normal order with the oldest events listed first. The bottom two entries show Snort starting up.  How are you determining Snort is not actually running?  If you are depending on the icon in the Snort Interfaces tab, note that they are currently "backwards" from the other pfSense GUI.  The red X means "running".  That will be changing in the next package version so it more accurately matches the rest of the pfSense GUI.

    Bill



  • @bmeeks:

    @Boags:

    Hi Bill, I also have a cable modem connection that uses DHCP. I've never connected a DSL / PPPoE line to pfSense before.

    Cheers :)

    OK, I think I'm confused.  Did you mean in your original post that you do not think Snort is running?  And according to this last post you have DHCP with a cable modem on the WAN.  If I have those two assumptions, correct, then I'm back on track.  Got sidetracked maybe with the PPPoE stuff ..  ???

    From the log snippet you posted originally, it appears Snort is up and running on two interfaces (LAN and WAN).  Your logs are sorted in normal order with the oldest events listed first. The bottom two entries show Snort starting up.  How are you determining Snort is not actually running?  If you are depending on the icon in the Snort Interfaces tab, note that they are currently "backwards" from the other pfSense GUI.  The red X means "running".  That will be changing in the next package version so it more accurately matches the rest of the pfSense GUI.

    Bill

    That's correct Bill.

    It would appear in the system log that Snort would actually be running, however ram usage (always below 10%), the widget icon (showing that Snort is not running) and the lack of blocking alerts indicates otherwise. Snort doesn't seem to turn on, not even initially.

    Things I've tried since my last post; I was able to remove the additional gateways in routing, I turned off 'save settings' in Snort and then uninstalled, re-installed the package with fresh default settings. No luck.

    Cheers :)



  • @Boags:

    That's correct Bill.

    It would appear in the system log that Snort would actually be running, however ram usage (always below 10%), the widget icon (showing that Snort is not running) and the lack of blocking alerts indicates otherwise. Snort doesn't seem to turn on, not even initially.

    Things I've tried since my last post; I was able to remove the additional gateways in routing, I turned off 'save settings' in Snort and then uninstalled, re-installed the package with fresh default settings. No luck.

    Cheers :)

    OK, from a command prompt on the firewall, execute this command see what it shows:

    
    ps -ax |grep snort
    
    

    The above command should show two running Snort processes with the associated command-line arguments.

    Post back with what it shows, if anything.

    As for RAM usage, unless you have a lot of traffic coming through your box, RAM usage may very well stay down in that range.  I have 4GB in my firewall and my RAM usage on my home network rarely exceeds 10%-14%.

    Bill



  • @bmeeks:

    @Boags:

    That's correct Bill.

    It would appear in the system log that Snort would actually be running, however ram usage (always below 10%), the widget icon (showing that Snort is not running) and the lack of blocking alerts indicates otherwise. Snort doesn't seem to turn on, not even initially.

    Things I've tried since my last post; I was able to remove the additional gateways in routing, I turned off 'save settings' in Snort and then uninstalled, re-installed the package with fresh default settings. No luck.

    Cheers :)

    OK, from a command prompt on the firewall, execute this command see what it shows:

    
    ps -ax |grep snort
    
    

    The above command should show two running Snort processes with the associated command-line arguments.

    Post back with what it shows, if anything.

    As for RAM usage, unless you have a lot of traffic coming through your box, RAM usage may very well stay down in that range.  I have 4GB in my firewall and my RAM usage on my home network rarely exceeds 10%-14%.

    Bill

    Alright, this is the result:

    $ ps -ax |grep snort
    58727  ??  S      0:00.00 sh -c ps -ax |grep snort
    59007  ??  S      0:00.00 grep snort

    Also to note, previously when Snort was always running, I never got below 90% memory. I also leave it on 24-7 so that it gathers a solid blocked hosts list. The performance setting I go with is AC-STD for both WAN and LAN.

    Cheers :)



  • @Boags:

    Alright, this is the result:

    $ ps -ax |grep snort
    58727  ??  S      0:00.00 sh -c ps -ax |grep snort
    59007  ??  S      0:00.00 grep snort

    Also to note, previously when Snort was always running, I never got below 90% memory. I also leave it on 24-7 so that it gathers a solid blocked hosts list. The performance setting I go with is AC-STD for both WAN and LAN.

    Cheers :)

    OK.  Snort is obviously not running.  I'm not familiar with the bge0 or bge1 driver, but a quick Google search suggests a relative standard Broadcom NIC, and since your basic networking is working, it has to be something else.

    Let's try some really basic steps first, just in case you might have overlooked something.  Follow the steps in this post.  The sequence of some of the actions is very important in order for a proper snort.conf file to get created.

    http://forum.pfsense.org/index.php/topic,61018.msg328717.html#msg328717

    For testing purposes, select only the Emerging Threats CIARMY rule set to start with.  Let's see if we can get Snort to run at all before we start throwing more complicated rules at it.

    Double check your system logs for a SIGNAL from Snort such as "snort exited on SIGNAL 11" or some other similar message.  It is really weird for Snort to just die with no message to the system log and not even any zombie processes left in the process list.

    I think you posted earlier that you had done the complete delete and reinstall of the Snort package, but if not, try that process.

    Are any other packages installed in the box?  There was a library conflict with this version of the Snort binary and another package reported by a user a few weeks back.  I don't remember off the top of my head the name of the other conflicting package, but it installed a library Snort did not like.  Of course that user was getting an error logged on startup that helped identify the problem.

    Bill



  • @bmeeks:

    @Boags:

    Alright, this is the result:

    $ ps -ax |grep snort
    58727  ??  S      0:00.00 sh -c ps -ax |grep snort
    59007  ??  S      0:00.00 grep snort

    Also to note, previously when Snort was always running, I never got below 90% memory. I also leave it on 24-7 so that it gathers a solid blocked hosts list. The performance setting I go with is AC-STD for both WAN and LAN.

    Cheers :)

    OK.  Snort is obviously not running.  I'm not familiar with the bge0 or bge1 driver, but a quick Google search suggests a relative standard Broadcom NIC, and since your basic networking is working, it has to be something else.

    Let's try some really basic steps first, just in case you might have overlooked something.  Follow the steps in this post.  The sequence of some of the actions is very important in order for a proper snort.conf file to get created.

    http://forum.pfsense.org/index.php/topic,61018.msg328717.html#msg328717

    For testing purposes, select only the Emerging Threats CIARMY rule set to start with.  Let's see if we can get Snort to run at all before we start throwing more complicated rules at it.

    Double check your system logs for a SIGNAL from Snort such as "snort exited on SIGNAL 11" or some other similar message.  It is really weird for Snort to just die with no message to the system log and not even any zombie processes left in the process list.

    I think you posted earlier that you had done the complete delete and reinstall of the Snort package, but if not, try that process.

    Are any other packages installed in the box?  There was a library conflict with this version of the Snort binary and another package reported by a user a few weeks back.  I don't remember off the top of my head the name of the other conflicting package, but it installed a library Snort did not like.  Of course that user was getting an error logged on startup that helped identify the problem.

    Bill

    Alright, I went through the basic steps while only enabling emerging-ciarmy.rules and the system log still has no message.

    The other packages I have installed are: arpwatch, pfBlocker and Dashboard Widget: Snort.

    Cheers :)



  • @Boags:

    Alright, I went through the basic steps while only enabling emerging-ciarmy.rules and the system log still has no message.

    The other packages I have installed are: arpwatch, pfBlocker and Dashboard Widget: Snort.

    Cheers :)

    At this point I'm pretty much baffled.  The next troubleshooting steps will all have to be command-line stuff.

    Change to the directory where one of your Snort interface configurations exists, and run the series of commands shown below.

    First validate the version of Snort:

    
    /usr/local/bin/snort -V
    
    

    It should print "Version 2.9.4.1" as part of the output.  Next, validate the configuration file.

    
    /usr/local/bin/snort -T -c ./snort.conf
    
    

    The above will validate the local configuration.  It should print several lines of output and at the end indicate the configuration file is OK.  Next, try running Snort with no rules at all.  In the configuration directory for one of your configured interfaces, execute the following commands to wipe out the rules files and create empty ones and then start Snort.  Execute these commands in the order listed.

    
    rm snort.rules
    rm flowbit-required.rules
    touch snort.rules
    touch flowbit-required.rules
    /usr/local/etc/rc.d/snort.sh start
    
    

    The above commands should result in Snort starting on that interface with an empty rule set.  To verify it is running, execute this command.

    
    ps -ax |grep snort
    
    

    You should see an active Snort process with some command-line arguments displayed in the far-right column.  If you do, then Snort started successfully.  Let it run a few minutes, and keep checking with the same "ps" command periodically to verify it continues to run.

    If the above test still does not result in a running Snort process, then something more fundamental is wrong on your box and you might consider a total wipe-and-reload operation.

    Bill



  • @bmeeks:

    @Boags:

    Alright, I went through the basic steps while only enabling emerging-ciarmy.rules and the system log still has no message.

    The other packages I have installed are: arpwatch, pfBlocker and Dashboard Widget: Snort.

    Cheers :)

    At this point I'm pretty much baffled.  The next troubleshooting steps will all have to be command-line stuff.

    Change to the directory where one of your Snort interface configurations exists, and run the series of commands shown below.

    First validate the version of Snort:

    
    /usr/local/bin/snort -V
    
    

    It should print "Version 2.9.4.1" as part of the output.  Next, validate the configuration file.

    
    /usr/local/bin/snort -T -c ./snort.conf
    
    

    The above will validate the local configuration.  It should print several lines of output and at the end indicate the configuration file is OK.  Next, try running Snort with no rules at all.  In the configuration directory for one of your configured interfaces, execute the following commands to wipe out the rules files and create empty ones and then start Snort.  Execute these commands in the order listed.

    
    rm snort.rules
    rm flowbit-required.rules
    touch snort.rules
    touch flowbit-required.rules
    /usr/local/etc/rc.d/snort.sh start
    
    

    The above commands should result in Snort starting on that interface with an empty rule set.  To verify it is running, execute this command.

    
    ps -ax |grep snort
    
    

    You should see an active Snort process with some command-line arguments displayed in the far-right column.  If you do, then Snort started successfully.  Let it run a few minutes, and keep checking with the same "ps" command periodically to verify it continues to run.

    If the above test still does not result in a running Snort process, then something more fundamental is wrong on your box and you might consider a total wipe-and-reload operation.

    Bill

    I think we found the problem, while trying to execute the first few lines of command, it resulted with the following message: /libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"

    I have no idea how a Shared object got missing. Where do we go from here?

    Cheers :)



  • @Boags:

    I think we found the problem, while trying to execute the first few lines of command, it resulted with the following message: /libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"

    Try to find what version of libpcap you have on your system

    find / -name "libpcap.so*"


Log in to reply