Many errors in log. Snort related?



  • Hi guys,

    I have noticed quite large number of errors which look like this:

    php: rc.filter_configure_sync: The command '/sbin/ipfw /tmp/rules.limiter' returned exit code '65', the output was 'Line 2: burst: invalid argument'
    php: rc.filter_configure_sync: The command '/sbin/ipfw /tmp/rules.limiter' returned exit code '65', the output was 'Line 2: burst: invalid argument'
    php: rc.filter_configure_sync: The command '/sbin/ipfw /tmp/rules.limiter' returned exit code '65', the output was 'Line 2: burst: invalid argument'
    php: rc.filter_configure_sync: The command '/sbin/ipfw /tmp/rules.limiter' returned exit code '65', the output was 'Line 2: burst: invalid argument'

    Yesterday I have been playing with snort. I suspect it doesn't block the suspicious traffic. I have got "Remove Blocked Hosts Interval" set to NEVER, and activated "Block Offenders". I can see many alerts, but no entries in Blocked.

    Could above errors be the reason for such behaviour? How to fix both?



  • @abadonna:

    Hi guys,

    I have noticed quite large number of errors which look like this:

    php: rc.filter_configure_sync: The command '/sbin/ipfw /tmp/rules.limiter' returned exit code '65', the output was 'Line 2: burst: invalid argument'
    php: rc.filter_configure_sync: The command '/sbin/ipfw /tmp/rules.limiter' returned exit code '65', the output was 'Line 2: burst: invalid argument'
    php: rc.filter_configure_sync: The command '/sbin/ipfw /tmp/rules.limiter' returned exit code '65', the output was 'Line 2: burst: invalid argument'
    php: rc.filter_configure_sync: The command '/sbin/ipfw /tmp/rules.limiter' returned exit code '65', the output was 'Line 2: burst: invalid argument'

    Yesterday I have been playing with snort. I suspect it doesn't block the suspicious traffic. I have got "Remove Blocked Hosts Interval" set to NEVER, and activated "Block Offenders". I can see many alerts, but no entries in Blocked.

    Could above errors be the reason for such behaviour? How to fix both?

    I don't think Snort is your problem here.  Something is wrong elsewhere.  Based on the errors above, I'm guessing the firewall is being frequently cycled due to some issue.  The cycling clears the block tables.  Think of it as a sort of reboot of the box.  Snort's table is one of those that can get cleared in this process.  That could account for why you are not seeing blocks listed.  If you have the alerts, then Snort saw the traffic and likely inserted a block (or at least tried to).

    One question, are you using IPv6 addresses or only IPv4?

    Bill



  • No. I do not use IPv6. I have enabled only IPv4.
    I have restarted my router few times, but the behaviour stays the same.



  • And some updates…

    It looks like snort works fine, since I have alerts (attached).

    Unfortunately there is nothing in Blocked tab. There is nothing in snort2c table.
    Snort is set to Never Remove Blocked Hosts Interval and suppose to block both IPs.

    Please help.




  • @abadonna:

    And some updates…

    It looks like snort works fine, since I have alerts (attached).

    Unfortunately there is nothing in Blocked tab. There is nothing in snort2c table.
    Snort is set to Never Remove Blocked Hosts Interval and suppose to block both IPs.

    Please help.

    How do you have Snort configured to block?  Is it set to block SRC, DST or BOTH?  I suggest BOTH.  If you have it set to DST, and DST is your WAN, then your WAN is in the auto-whitelist and thus will never get blocked.  Since you obscured the DST IP addresses in your screenshot, I assume that is your own IP address.

    Bill



  • It is set to block both.



  • @abadonna:

    It is set to block both.

    Remember that anything that causes pfSense to execute the filter_reload process will wipe out the block table.

    Try this if you want to see if Snort is blocking.  Go to https://www.grc.com/shieldsup and let it scan your IP.  Open two browser tabs:  one to your firewall interface with the Snort ALERTS tab, and one to the link I provided.  As the scan is in progress, periodically refresh the ALERTS tab page.  Look at the BLOCKED tab as well.  You should see the GRC site listed there.

    Bill


Log in to reply