Snort stopped working for unknown reasons



  • Hello,

    Out of the blue, snort stopped working on my pfsense box, and I have no idea why.  It was working for several months now but now things seems very screwed up.  I am not sure if an update caused this or what else, but here's what I see now:

    Service is stopped

    I regularly see this at the top of the pfsense webinterface:

    
    Warning: implode(): Invalid arguments passed in /usr/local/pkg/snort/snort_generate_conf.php on line 43 Warning: implode(): Invalid arguments passed in /usr/local/pkg/snort/snort_generate_conf.php on line 48
    

    Trying to start snort fails

    I can see this in the system logs:

    Sep 16 22:10:37	barnyard2[16333]:
    Sep 16 22:10:37	barnyard2[16333]: --== Initialization Complete ==--
    Sep 16 22:10:37	barnyard2[16333]: Barnyard2 initialization completed successfully (pid=16333)
    Sep 16 22:10:37	barnyard2[16333]: Using waldo file '/var/log/snort/snort_vtnet129725/barnyard2/29725_vtnet1.waldo': spool directory = /var/log/snort/snort_vtnet129725 spool filebase = snort_29725_vtnet1.u2 time_stamp = 1410827947 record_idx = 64
    Sep 16 22:10:37	barnyard2[16333]: Opened spool file '/var/log/snort/snort_vtnet129725/snort_29725_vtnet1.u2.1410827947'
    Sep 16 22:10:37	barnyard2[16333]: Waiting for new data
    Sep 16 22:10:38	SnortStartup[16366]: Barnyard2 SOFT RESTART for Snort process for WAN(29725_vtnet1)...
    Sep 16 22:11:07	php: /index.php: Successful login for user 'admin' from:     
    Sep 16 22:11:07	php: /index.php: Successful login for user 'admin' from:
    Sep 16 22:11:15	php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(Snort process for WAN)...
    Sep 16 22:11:15	php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
    Sep 16 22:11:20	php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
    Sep 16 22:11:20	php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN...
    Sep 16 22:11:22	check_reload_status: Syncing firewall
    Sep 16 22:11:22	check_reload_status: Syncing firewall
    Sep 16 22:11:22	php: /snort/snort_interfaces.php: [Snort] Snort START for Snort process for WAN(vtnet1)...
    Sep 16 22:11:22	snort[36545]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_29725_vtnet1/snort.conf(361) => Invalid ip_list to 'ignore_scanners' option.
    Sep 16 22:11:22	php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 29725 -D -q -l /var/log/snort/snort_vtnet129725 --pid-path /var/run --nolock-pidfile -G 29725 -c /usr/pbi/snort-amd64/etc/snort/snort_29725_vtnet1/snort.conf -i vtnet1' returned exit code '1', the output was ''
    

    I tried reinstalling snort, didnt help.  Rebooting didnt help. Uninstalling then rebooting then re-installing also didnt help.

    Last thing I know that was done before snort crapped was that we made some changes to the aliases (only added an IP to an alias).  The aliases were already added to snort in the whitelist (now called pass list) but to make sure we deleted and readded them.  That was done 3 days ago and AFAIK Snort was OK until today but I may be wrong.  The relationship pfsense webserver & the actual services is still not good so maybe we saw the green symbol and snort was maybe dead already..

    Of course I tried to remove the pass list entries completely and rebooting to no avail.

    Now what to do? Reinstall pfsense alltogether?  I meant to post in the "pfsense package wishlist" thread but it seems to be locked.  I was going to suggest an IPS/IDS better than snort but AFAIK pfsense has nothing better to offer?

    Please note all packages as well as pfsense are ALL up to date.

    Any suggestions on how to troubleshoot the snort issue is appreciated.

    Regards


  • Banned

    Disable the "ignore scanners" option and test again.



  • Hey Supermule,

    I tried deactivating the entire section where the option "ignore scanners" was located, it is "Portscan detection" under interface preprocs..

    Now snort returns

    snort[21806]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_29725_vtnet1/rules/snort.rules(427) Empty IP used either as source IP or as destination IP in a rule. IP list: $HOME_NET.
    

    I have tried to find this "$HOME_NET" thing, but couldnt.  According to a quick web search, it would be because $HOME_NET is empty and used in a rule.  Therefore that rule is invalid and snort refuses to start.  To this point, it make sense I guess..

    Now why would this variable be empty?  The more I think about it the more I suspect a bug in pfsense itself for emptying the variable (if its a system-wide variable) or a bug in snort for not keeping up with my extremely minor alias modification.

    If I deactivate the rules using $HOME_NET, I will deactivate so many of them that having snort installed will be useless..


  • Banned

    Could it be a spelling error in the alias settings?



  • @lpallard:

    Hey Supermule,

    I tried deactivating the entire section where the option "ignore scanners" was located, it is "Portscan detection" under interface preprocs..

    Now snort returns

    snort[21806]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_29725_vtnet1/rules/snort.rules(427) Empty IP used either as source IP or as destination IP in a rule. IP list: $HOME_NET.
    

    I have tried to find this "$HOME_NET" thing, but couldnt.  According to a quick web search, it would be because $HOME_NET is empty and used in a rule.  Therefore that rule is invalid and snort refuses to start.  To this point, it make sense I guess..

    Now why would this variable be empty?  The more I think about it the more I suspect a bug in pfsense itself for emptying the variable (if its a system-wide variable) or a bug in snort for not keeping up with my extremely minor alias modification.

    If I deactivate the rules using $HOME_NET, I will deactivate so many of them that having snort installed will be useless..

    You have a fundamental problem with your configuration.  $HOME_NET is automatically configured, and if it is empty, then your configuration is hosed somehow.  Go to the INTERFACE tab for your snort interface (get there by going to the Snort main menu tabs and click the e icon beside an interface to edit it).  Scroll down on the interface edit page and find the setting for HOME_NET and click the VIEW button beside it.  What is displayed in the pop-up window?

    My initial guess is you deleted an Alias that is referenced in your Snort configuration.  I would like to work with you to identify the problem so if it is something I can address within the Snort package, I can do so.  Please feel free to send me a PM and we can communicate via e-mail if you do not wish to post certain information here.

    Bill



  • Hey bmeeks, I PM'ed you!



  • @lpallard:

    Hey bmeeks, I PM'ed you!

    I replied with a request and my e-mail address.

    Bill


Log in to reply