HAVP + Snort: connect() failed: Operation not permitted



  • Current setup

    pfSense 2.1-RELEASE (i386)
    FreeBSD 8.3-RELEASE-p11
    snort 	2.9.5.5 pkg v3.0.3
    HAVP antivirus 	0.91_1 pkg v1.01
    squid 	Network 	2.7.9 pkg v.4.3.3
    
    

    Squid is configured as a transparent proxy, and HAVP as the parent for Squid (and set accordingly in the config). Snort is not configured to block sites when an alert is triggered, but is apparently doing so anyways.
    The system log files show

    Feb 12 13:22:12 	havp[55759]: connect() failed: Operation not permitted
    Feb 12 13:22:01 	havp[44820]: connect() failed: Operation not permitted
    Feb 12 13:22:00 	havp[44820]: connect() failed: Operation not permitted
    Feb 12 13:21:59 	havp[44820]: connect() failed: Operation not permitted
    Feb 12 13:21:08 	havp[77462]: connect() failed: Operation not permitted
    Feb 12 13:21:06 	havp[78132]: connect() failed: Operation not permitted
    Feb 12 13:21:05 	havp[44591]: connect() failed: Operation not permitted
    Feb 12 13:19:37 	havp[57273]: connect() failed: Operation not permitted
    Feb 12 13:17:21 	havp[55759]: connect() failed: Operation not permitted
    
    

    It would seem that I am having the same issue as the OP in this post: https://forum.pfsense.org/index.php/topic,18725.0.html.
    Was this ever fixed?



  • @Zosimo:

    Current setup

    pfSense 2.1-RELEASE (i386)
    FreeBSD 8.3-RELEASE-p11
    snort 	2.9.5.5 pkg v3.0.3
    HAVP antivirus 	0.91_1 pkg v1.01
    squid 	Network 	2.7.9 pkg v.4.3.3
    
    

    Squid is configured as a transparent proxy, and HAVP as the parent for Squid (and set accordingly in the config). Snort is not configured to block sites when an alert is triggered, but is apparently doing so anyways.
    The system log files show

    Feb 12 13:22:12 	havp[55759]: connect() failed: Operation not permitted
    Feb 12 13:22:01 	havp[44820]: connect() failed: Operation not permitted
    Feb 12 13:22:00 	havp[44820]: connect() failed: Operation not permitted
    Feb 12 13:21:59 	havp[44820]: connect() failed: Operation not permitted
    Feb 12 13:21:08 	havp[77462]: connect() failed: Operation not permitted
    Feb 12 13:21:06 	havp[78132]: connect() failed: Operation not permitted
    Feb 12 13:21:05 	havp[44591]: connect() failed: Operation not permitted
    Feb 12 13:19:37 	havp[57273]: connect() failed: Operation not permitted
    Feb 12 13:17:21 	havp[55759]: connect() failed: Operation not permitted
    
    

    It would seem that I am having the same issue as the OP in this post: https://forum.pfsense.org/index.php/topic,18725.0.html.
    Was this ever fixed?

    Snort should not block anything if you have the "block offenders" checkbox unchecked on the Interface tab.  If you think Snort is the cause, simply stop the Snort process by clicking the green arrow icon on the Snort Interfaces tab and waiting for it to turn to a red X.  At that point Snort is dead and not blocking anymore.  Try your connection then.  If it still fails, then Snort is not your problem.

    Another way to check if Snort is the cause is to click on Diagnostics…Tables and select the snort2c table in the dropdown list.  If no IP addresses show up, then Snort is not blocking.  All blocked IPs by Snort get put in the snort2c table that you can view under Diagnostics…Tables.  If an IP address is not in that table, then Snort is not blocking that IP.

    Bill