Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAVP + Snort: connect() failed: Operation not permitted

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Zosimo
      last edited by

      Current setup

      pfSense 2.1-RELEASE (i386)
      FreeBSD 8.3-RELEASE-p11
      snort 	2.9.5.5 pkg v3.0.3
      HAVP antivirus 	0.91_1 pkg v1.01
      squid 	Network 	2.7.9 pkg v.4.3.3
      
      

      Squid is configured as a transparent proxy, and HAVP as the parent for Squid (and set accordingly in the config). Snort is not configured to block sites when an alert is triggered, but is apparently doing so anyways.
      The system log files show

      Feb 12 13:22:12 	havp[55759]: connect() failed: Operation not permitted
      Feb 12 13:22:01 	havp[44820]: connect() failed: Operation not permitted
      Feb 12 13:22:00 	havp[44820]: connect() failed: Operation not permitted
      Feb 12 13:21:59 	havp[44820]: connect() failed: Operation not permitted
      Feb 12 13:21:08 	havp[77462]: connect() failed: Operation not permitted
      Feb 12 13:21:06 	havp[78132]: connect() failed: Operation not permitted
      Feb 12 13:21:05 	havp[44591]: connect() failed: Operation not permitted
      Feb 12 13:19:37 	havp[57273]: connect() failed: Operation not permitted
      Feb 12 13:17:21 	havp[55759]: connect() failed: Operation not permitted
      
      

      It would seem that I am having the same issue as the OP in this post: https://forum.pfsense.org/index.php/topic,18725.0.html.
      Was this ever fixed?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @Zosimo:

        Current setup

        pfSense 2.1-RELEASE (i386)
        FreeBSD 8.3-RELEASE-p11
        snort 	2.9.5.5 pkg v3.0.3
        HAVP antivirus 	0.91_1 pkg v1.01
        squid 	Network 	2.7.9 pkg v.4.3.3
        
        

        Squid is configured as a transparent proxy, and HAVP as the parent for Squid (and set accordingly in the config). Snort is not configured to block sites when an alert is triggered, but is apparently doing so anyways.
        The system log files show

        Feb 12 13:22:12 	havp[55759]: connect() failed: Operation not permitted
        Feb 12 13:22:01 	havp[44820]: connect() failed: Operation not permitted
        Feb 12 13:22:00 	havp[44820]: connect() failed: Operation not permitted
        Feb 12 13:21:59 	havp[44820]: connect() failed: Operation not permitted
        Feb 12 13:21:08 	havp[77462]: connect() failed: Operation not permitted
        Feb 12 13:21:06 	havp[78132]: connect() failed: Operation not permitted
        Feb 12 13:21:05 	havp[44591]: connect() failed: Operation not permitted
        Feb 12 13:19:37 	havp[57273]: connect() failed: Operation not permitted
        Feb 12 13:17:21 	havp[55759]: connect() failed: Operation not permitted
        
        

        It would seem that I am having the same issue as the OP in this post: https://forum.pfsense.org/index.php/topic,18725.0.html.
        Was this ever fixed?

        Snort should not block anything if you have the "block offenders" checkbox unchecked on the Interface tab.  If you think Snort is the cause, simply stop the Snort process by clicking the green arrow icon on the Snort Interfaces tab and waiting for it to turn to a red X.  At that point Snort is dead and not blocking anymore.  Try your connection then.  If it still fails, then Snort is not your problem.

        Another way to check if Snort is the cause is to click on Diagnostics…Tables and select the snort2c table in the dropdown list.  If no IP addresses show up, then Snort is not blocking.  All blocked IPs by Snort get put in the snort2c table that you can view under Diagnostics…Tables.  If an IP address is not in that table, then Snort is not blocking that IP.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.