3. HAVP + Snort: connect() failed: Operation not permitted

HAVP + Snort: connect() failed: Operation not permitted

  • Z

    Current setup

    pfSense 2.1-RELEASE (i386)
FreeBSD 8.3-RELEASE-p11
snort 	2.9.5.5 pkg v3.0.3
HAVP antivirus 	0.91_1 pkg v1.01
squid 	Network 	2.7.9 pkg v.4.3.3

    Squid is configured as a transparent proxy, and HAVP as the parent for Squid (and set accordingly in the config). Snort is not configured to block sites when an alert is triggered, but is apparently doing so anyways.
    The system log files show

    Feb 12 13:22:12 	havp[55759]: connect() failed: Operation not permitted
Feb 12 13:22:01 	havp[44820]: connect() failed: Operation not permitted
Feb 12 13:22:00 	havp[44820]: connect() failed: Operation not permitted
Feb 12 13:21:59 	havp[44820]: connect() failed: Operation not permitted
Feb 12 13:21:08 	havp[77462]: connect() failed: Operation not permitted
Feb 12 13:21:06 	havp[78132]: connect() failed: Operation not permitted
Feb 12 13:21:05 	havp[44591]: connect() failed: Operation not permitted
Feb 12 13:19:37 	havp[57273]: connect() failed: Operation not permitted
Feb 12 13:17:21 	havp[55759]: connect() failed: Operation not permitted

    It would seem that I am having the same issue as the OP in this post: https://forum.pfsense.org/index.php/topic,18725.0.html.
    Was this ever fixed?

    0

  • @Zosimo:

    Current setup

    pfSense 2.1-RELEASE (i386)
FreeBSD 8.3-RELEASE-p11
snort 	2.9.5.5 pkg v3.0.3
HAVP antivirus 	0.91_1 pkg v1.01
squid 	Network 	2.7.9 pkg v.4.3.3

    Squid is configured as a transparent proxy, and HAVP as the parent for Squid (and set accordingly in the config). Snort is not configured to block sites when an alert is triggered, but is apparently doing so anyways.
    The system log files show

    Feb 12 13:22:12 	havp[55759]: connect() failed: Operation not permitted
Feb 12 13:22:01 	havp[44820]: connect() failed: Operation not permitted
Feb 12 13:22:00 	havp[44820]: connect() failed: Operation not permitted
Feb 12 13:21:59 	havp[44820]: connect() failed: Operation not permitted
Feb 12 13:21:08 	havp[77462]: connect() failed: Operation not permitted
Feb 12 13:21:06 	havp[78132]: connect() failed: Operation not permitted
Feb 12 13:21:05 	havp[44591]: connect() failed: Operation not permitted
Feb 12 13:19:37 	havp[57273]: connect() failed: Operation not permitted
Feb 12 13:17:21 	havp[55759]: connect() failed: Operation not permitted

    It would seem that I am having the same issue as the OP in this post: https://forum.pfsense.org/index.php/topic,18725.0.html.
    Was this ever fixed?

    Snort should not block anything if you have the "block offenders" checkbox unchecked on the Interface tab.  If you think Snort is the cause, simply stop the Snort process by clicking the green arrow icon on the Snort Interfaces tab and waiting for it to turn to a red X.  At that point Snort is dead and not blocking anymore.  Try your connection then.  If it still fails, then Snort is not your problem.

    Another way to check if Snort is the cause is to click on Diagnostics…Tables and select the snort2c table in the dropdown list.  If no IP addresses show up, then Snort is not blocking.  All blocked IPs by Snort get put in the snort2c table that you can view under Diagnostics…Tables.  If an IP address is not in that table, then Snort is not blocking that IP.

    Bill

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy