Snort not working on 2.1 RC0



  • I have previously tried to run Snort (v 2.5.7) on 2.1 RC0 May 28 Built and I was having problem. Someone said it could be my settings. So now I have done another clean setup of 2.03 and 2.1 using another computer using all default setup with one LAN and one WAN. The 2.1 RC0 was the May 30 built. The 2.03 was the most recent version. I then installed Snort (2.9.4.1 pkg v. 2.5.8) on both. The WAN interface was added with AC-STD performance settings. The box 'Use IPS Policy" was checked in WAN Categories.  Everything else was default. On 2.03, Snort worked like a charm. On 2.1 RC0, the WAN interface immediately got cut off once Snort was started. I looked into the system log and I saw that the system kept trying to establish the WAN IP address. I have tried both DHCP and static IP on WAN with the same result. I really don't think it is a problem of settings unless 2.10 RC0 requires you to do some special setup in Snort. I have attached the system log. Anybody else having problem with Snort on 2.1 RC0, please add your comment. Or if you have gotten it to work, please let me know what do I need to do? Thanks.
    [System Snort Install Log.txt](/public/imported_attachments/1/System Snort Install Log.txt)



  • @bbqrooster:

    I have previously tried to run Snort (v 2.5.7) on 2.1 RC0 May 28 Built and I was having problem. Someone said it could be my settings. So now I have done another clean setup of 2.03 and 2.1 using another computer using all default setup with one LAN and one WAN. The 2.1 RC0 was the May 30 built. The 2.03 was the most recent version. I then installed Snort (2.9.4.1 pkg v. 2.5.8) on both. The WAN interface was added with AC-STD performance settings. The box 'Use IPS Policy" was checked in WAN Categories.  Everything else was default. On 2.03, Snort worked like a charm. On 2.1 RC0, the WAN interface immediately got cut off once Snort was started. I looked into the system log and I saw that the system kept trying to establish the WAN IP address. I have tried both DHCP and static IP on WAN with the same result. I really don't think it is a problem of settings unless 2.10 RC0 requires you to do some special setup in Snort. I have attached the system log. Anybody else having problem with Snort on 2.1 RC0, please add your comment. Or if you have gotten it to work, please let me know what do I need to do? Thanks.

    These log messages really look like fundamental NIC driver issues and not related directly to Snort.  To test, stop the Snort service (on both interfaces, if you have it running on both).  See if the box remains stable with Snort stopped.  Also, check the logs during the test to see if the same sort of new WAN IP messages keep appearing.

    I have Snort running on two different 2.1 virtual machines (32-bit and 64-bit), and both have DHCP configured on the WAN side for the IP address.  I have not seen this issue.  With my VMs, the Intel e1000 NIC driver is being used (em0 is the driver name in FreeBSD).  My VMs are running one of the latest 2.1-BETA snapshots and not 2.1-RC0.  I can update and test with that this weekend.

    Bill



  • The 2.1 RC0 worked flawlessly before Snort was installed and started. I also stopped and removed the Snort package and the router worked without problem after a reboot. As a result I don't think it was the driver. By the way, the WAN NIC is an Intel 10/100 Ethernet adapter. I am including the screenshots of the dashboard before and after Snort activation. What day code is your 2.1 Beta and what setting you have on Snort?

    ![Dashboard before Snort.jpg](/public/imported_attachments/1/Dashboard before Snort.jpg)
    ![Dashboard before Snort.jpg_thumb](/public/imported_attachments/1/Dashboard before Snort.jpg_thumb)
    ![Dashboard after Snort.jpg](/public/imported_attachments/1/Dashboard after Snort.jpg)
    ![Dashboard after Snort.jpg_thumb](/public/imported_attachments/1/Dashboard after Snort.jpg_thumb)



  • @bbqrooster:

    What day code is your 2.1 Beta and what setting you have on Snort?

    Both VMs had a 2.1-BETA from about May 23rd or so.  Don't remember exactly off the top of my head.

    They both were configured with Snort VRT rules using the "IPS Connectivity" policy. I have also run them with "IPS Balanced" and even "IPS Security" in the past.

    I will update to the RC0 version over the weekend and see if I have any problems.  I use VMware Workstation for testing with a variety of Snort installations on pfSense (2.0.3 and 2.1).

    Bill



  • Just updated one of my 2.1-BETA snapshot VMs to 2.1RC0.  WAN IP is via DHCP and Snort is running with the "IPS Connectivity" policy configured.  So far no issues noticed, but I will keep it running.  Snort is running and blocking.  Notice in the screenshot of the main page that I have the Snort Dashboard Widget enabled and it is showing an Alert and block on a current event (5/31/2013).  Again, this is VMware Workstation and pfSense is using the e1000 NIC driver.  Don't know if that is your issue or not.  Could also be a library issue.  What other packages do you have installed?

    Here are screenshots of the main page and the Snort config –






  • bmeeks, thank you so much. I'll try a different NIC card (therefore a different driver) to see if I can get it to work. I'll try to run it in a virtual machine too. I have no other packages installed other than Snort. It was a very minimal install and I was using a very common Intel 10/100 NIC card. That's why I was so puzzled about it.



  • @bbqrooster:

    bmeeks, thank you so much. I'll try a different NIC card (therefore a different driver) to see if I can get it to work. I'll try to run it in a virtual machine too. I have no other packages installed other than Snort. It was a very minimal install and I was using a very common Intel 10/100 NIC card. That's why I was so puzzled about it.

    There are a few other posts in the RC0 Snapshot thread about flakiness with WAN interfaces, but none of them mention Snort.

    Bill



  • Ok, I think I have gotten to the bottom of this issue with Snort. As you have suggested, it is a NIC driver issue. I have tested a few other NIC cards as the WAN interface. Here's the finding

    pfSense 2.1 RC0 (i386) May 30 Built with Snort 2.9.4.1 v 2.5.8
    Non-working NIC - Intel 729757-005, 721383-008 using fxp0 driver
    Working NIC - Netgear FA311 (NatSemi chip) using sis0, on-board Realtek NIC using re0

    pfsense 2.03 with Snort 2.9.4.1 v 2.5.8
    All 4 NIC works

    I have also tried pfsense 2.1 RC0 amd64. Same problem with the Intel NIC cards.

    So the problem is the combination of pfSense 2.1 RC0, Snort 2.9.4.1 and the Intel NIC driver. I hope someone would take a look at this.

    Bill, thanks for your assistance in finding out this problem.



  • I found another NIC card in my junk box. It is a SMC 9452TX based on the Marvell 88E8803 chipset. It also works with pfSense 2.1 RC0 and Snort. It looks like all the NIC cards that I have, only the Intel one's are not working. I guess it was my luck to pick the Intel NIC to use with pfSense 2.1 and Snort.



  • @bbqrooster:

    I found another NIC card in my junk box. It is a SMC 9452TX based on the Marvell 88E8803 chipset. It also works with pfSense 2.1 RC0 and Snort. It looks like all the NIC cards that I have, only the Intel one's are not working. I guess it was my luck to pick the Intel NIC to use with pfSense 2.1 and Snort.

    Glad you found the problem, but it is surprising the Intel NIC driver has issues.  They are usually pretty stable.  I can't imagine what Snort does to it unless it is the switch to promiscuous mode that triggers the problem.  Snort does do that (switch the NIC to promiscuous mode, that is) at startup.

    Bill



  • @bmeeks:

    @bbqrooster:

    I found another NIC card in my junk box. It is a SMC 9452TX based on the Marvell 88E8803 chipset. It also works with pfSense 2.1 RC0 and Snort. It looks like all the NIC cards that I have, only the Intel one's are not working. I guess it was my luck to pick the Intel NIC to use with pfSense 2.1 and Snort.

    Glad you found the problem, but it is surprising the Intel NIC driver has issues.  They are usually pretty stable.  I can't imagine what Snort does to it unless it is the switch to promiscuous mode that triggers the problem.  Snort does do that (switch the NIC to promiscuous mode, that is) at startup.

    Bill

    Having the same Problem since 2.1RC0 update. Worked without any Problems on 2.0.3 before.
    PFsense runs on an VMWare Machine with em Network drivers.
    I think I remembered a "promiscous mode" switch on the VMWare config. Perhaps this is the problem. I'll try it later….


  • Banned

    From a security stand point, you shouldnt run Promiscious mode on the Vswitch under any circumstance what so ever!



  • I know. Therefore I had switched promiscous mode off  ;D
    This is a vmware installation for testing. I want to have a running pfsense installation with snort, so we have to hunt down the bug somehow. And promiscous mode seems to be a hint at first.



  • @Mitterwald:

    I know. Therefore I had switched promiscous mode off  ;D
    This is a vmware installation for testing. I want to have a running pfsense installation with snort, so we have to hunt down the bug somehow. And promiscous mode seems to be a hint at first.

    There is absolutely no difference at all in the Snort package between 2.0.3 and 2.1.  Any changes are within the 2.1 core code of pfSense itself.  I do know since 2.1 is based on FreeBSD 8.3 instead of 8.1 that some drivers are different or updated in 2.1.

    Now another user having a "flapping WAN IP problem" where the interface kept coming up and down discovered it was actually a whitelist/Spoink issue.  He did not have his WAN IP ticked and included in the whitelist being used on the WAN interface, so any alerts were causing his WAN IP to get get blocked.  This kicked off the process of "WAN IP changed".  That's possibly due to gateway monitoring, but that's just a guess.

    Anyway, ticking the box for "WAN IP" in the whitelist fixed his problem.  This area of Snort did change a tad from 2.5.7 to 2.5.8.  Formerly, 2.5.7 and earlier packages would automatically whitelist the entire WAN subnet.  This was not a good idea!  So in 2.5.8 this was changed so Snort only automatically whitelists the WAN IP and the default gateway, but you still have to tick the checkboxes on the whitelist (if you make a custom one).  If you leave the whitelist set for "default", then the WAN IP, default gateway, VPN IPs, and any Virtual IPs are automatically included.

    Bill



  • Just did an update to the current RC0 snapshot and deinstalled snort and installed it again.
    The config still remained on my pfsense.

    But now it seems to work again. WAN is up for over 30 Minutes now, already blocked several attackers.
    So seems ok for me again.

    P.S.: I didn't changed any VMWare settings up to now.



  • @Mitterwald:

    Just did an update to the current RC0 snapshot and deinstalled snort and installed it again.
    The config still remained on my pfsense.

    But now it seems to work again. WAN is up for over 30 Minutes now, already blocked several attackers.
    So seems ok for me again.

    P.S.: I didn't changed any VMWare settings up to now.

    Some things changed in the latest snapshot of the RC0 release.  I have not investigated what changed, but I did notice my test 2.1RC0 box was prompting me about an update.

    Bill