Snort 2.9.6.2 update 3.1.2 stopped working



  • For some reason my Snort isn't working anymore.

    I got that FATAL error before, so I added "pfctl -t snort2c -T add 1.1.1.1", but it still refuses to run.

    Performed a fresh install, restored my configuration, and snort still refuses to run.

    Uninstall, and reinstall snort, also didn't solved the problem.

    I'm running:
    2.1.5-RELEASE (i386)
    built on Mon Aug 25 07:44:26 EDT 2014
    FreeBSD 8.3-RELEASE-p16

    Barnyard2 runs fine, but not snort.



  • If I type snort from cmd shell, it runs just fine, but under Services > Snort it still shows as it doesn't (red X is still showing).

    Looks like something is damaged from GUI.



  • go to diagnostic > table and see if the table there
    if not Remove the traffic shape



  • Hi,

    I use no traffic shapping at all, I never used it before.



  • I'm getting this too:
    ntpd[25761]: setsockopt IPV6_MULTICAST_IF 0 for fe80::215:17ff:fe3e:1b1f%2 fails: Can't assign requested address

    But I don't use IP6 at all.



  • So… no solution?



  • @Gradius:

    So… no solution?

    Gradius:

    The combination of errors indicates to me that something got corrupted on your box at a system level somewhere.  At this point you might be better served to backup your configuration and perform a fresh install.

    If you don't want to do that, then I would remove all the packages you installed and see if basic pfSense then works.  The ntp daemon is a core part of pfSense, and if it is failing, that would mean something is not right with your setup.

    Bill



  • Hi,

    I did performed a full refresh install, after that I just restored my configuration, but I'm still getting those errors.

    Btw, I'm not getting any error aside snort.

    Regards,
    Fernando

    @bmeeks:

    Gradius:

    The combination of errors indicates to me that something got corrupted on your box at a system level somewhere.  At this point you might be better served to backup your configuration and perform a fresh install.

    If you don't want to do that, then I would remove all the packages you installed and see if basic pfSense then works.  The ntp daemon is a core part of pfSense, and if it is failing, that would mean something is not right with your setup.

    Bill



  • @Gradius:

    Hi,

    I did performed a full refresh install, after that I just restored my configuration, but I'm still getting those errors.

    Btw, I'm not getting any error aside snort.

    Regards,
    Fernando

    1. What specific error message is printed in the system log related to Snort?  Can you post it here?

    2. What packages, besides Snort, are installed?

    3. Do you have now, or have you in the past, configured a Traffic Shaper?

    4. Are you running a full install on a conventional hard disk, or is this a nanoBSD installation?

    Bill



  • @bmeeks:

    1. What specific error message is printed in the system log related to Snort?  Can you post it here?

    2. What packages, besides Snort, are installed?

    3. Do you have now, or have you in the past, configured a Traffic Shaper?

    4. Are you running a full install on a conventional hard disk, or is this a nanoBSD installation?

    Bill

    Hi Bill,

    1.  Hard to say as I don't really see a real error:

    Oct 15 19:11:10 	php: rc.start_packages: No pfBlocker action during boot process.
    Oct 15 19:11:10 	php: rc.start_packages: Restarting/Starting all packages.
    Oct 15 19:11:08 	check_reload_status: Starting packages
    Oct 15 19:11:08 	php: rc.newwanip: pfSense package system has detected an ip change -> 10.10.10.1 ... Restarting packages.
    Oct 15 19:11:08 	php: rc.newwanip: rc.newwanip: on (IP address: 10.10.10.1) (interface: []) (real interface: ovpns1).
    Oct 15 19:11:08 	php: rc.newwanip: rc.newwanip: Informational is starting ovpns1.
    Oct 15 19:11:08 	check_reload_status: Starting packages
    Oct 15 19:11:08 	php: rc.newwanip: pfSense package system has detected an ip change 200.28.58.180 -> 200.28.56.13 ... Restarting packages.
    Oct 15 19:11:06 	check_reload_status: rc.newwanip starting ovpns1
    Oct 15 19:11:06 	kernel: ovpns1: link state changed to UP
    Oct 15 19:11:06 	php: rc.newwanip: Creating rrd update script
    Oct 15 19:11:06 	check_reload_status: Reloading filter
    Oct 15 19:11:06 	check_reload_status: Reloading filter
    Oct 15 19:11:06 	kernel: ovpns1: link state changed to DOWN
    Oct 15 19:11:06 	php: rc.newwanip: Resyncing OpenVPN instances for interface WAN.
    Oct 15 19:11:01 	php: rc.newwanip: ROUTING: setting default route to 10.52.126.3
    Oct 15 19:10:56 	check_reload_status: Rewriting resolv.conf
    Oct 15 12:30:34 	php: rc.update_urltables: /etc/rc.update_urltables: pfBlockereDrop does not need updating.
    Oct 15 12:30:34 	php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerDrop does not need updating.
    Oct 15 12:30:34 	php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerTopSpammers does not need updating.
    Oct 15 12:30:34 	php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerSouthAmerica does not need updating.
    Oct 15 12:30:34 	php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerOceania does not need updating.
    Oct 15 12:30:34 	php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerNorthAmerica does not need updating.
    Oct 15 12:30:34 	php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerEurope does not need updating.
    Oct 15 12:30:34 	php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerAsia does not need updating.
    Oct 15 12:30:34 	php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerAfrica does not need updating.
    Oct 15 12:30:34 	php: rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates
    Oct 15 12:30:00 	php: rc.update_urltables: /etc/rc.update_urltables: Sleeping for 34 seconds.
    Oct 15 12:30:00 	php: rc.update_urltables: /etc/rc.update_urltables: Starting up.
    Oct 15 12:03:20 	barnyard2[40210]: Waiting for new spool file
    Oct 15 12:03:20 	barnyard2[40210]: Barnyard2 initialization completed successfully (pid=40210)
    Oct 15 12:03:20 	barnyard2[40210]: --== Initialization Complete ==--
    Oct 15 12:03:20 	barnyard2[40210]:
    Oct 15 12:03:20 	barnyard2[40210]: PID path stat checked out ok, PID path set to /var/run
    Oct 15 12:03:20 	barnyard2[40210]: Daemon initialized, signaled parent pid: 39930
    Oct 15 12:03:20 	barnyard2[39930]: Daemon parent exiting
    Oct 15 12:03:20 	barnyard2[39930]: Initializing daemon mode
    Oct 15 12:03:20 	barnyard2[39930]: Barnyard2 spooler: Event cache size set to [8192]
    Oct 15 12:03:20 	barnyard2[39930]: ---------------------------- +[ Signature Suppress list ]+
    Oct 15 12:03:20 	barnyard2[39930]: +[No entry in Signature Suppress List]+
    Oct 15 12:03:20 	barnyard2[39930]: +[ Signature Suppress list ]+ ----------------------------
    Oct 15 12:03:20 	barnyard2[39930]: Found pid path directive (/var/run)
    Oct 15 12:03:20 	barnyard2[39930]: Initializing Output Plugins!
    Oct 15 12:03:20 	barnyard2[39930]: Initializing Input Plugins!
    Oct 15 12:03:20 	barnyard2[39930]: --== Initializing Barnyard2 ==--
    Oct 15 12:03:20 	barnyard2[39930]:
    Oct 15 12:03:20 	barnyard2[39930]: Running in Continuous mode
    Oct 15 12:03:20 	barnyard2[39930]: Found pid path directive (/var/run)
    Oct 15 12:03:18 	check_reload_status: Syncing firewall
    Oct 15 12:03:18 	php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
    Oct 15 12:03:18 	php: snort_check_for_rule_updates.php: [Snort] Snort has restarted with your new set of rules...
    Oct 15 12:03:13 	barnyard2[42849]: ===============================================================================
    Oct 15 12:03:13 	barnyard2[42849]: Total: 0
    Oct 15 12:03:13 	barnyard2[42849]: S5 G 2: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: S5 G 1: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: InvChkSum: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: DISCARD: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: OTHER: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: MPLS: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: GRE LOOP: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: GRE IPX: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: GRE ARP: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: GRE PPTP: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: GRE IP6 E: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: GRE IPv6: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: GRE IPv4: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: GRE VLAN: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: GRE ETH: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: GRE: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: IPv6/IPv6: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: IPv6/IPv4: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: IPv4/IPv6: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: IPv4/IPv4: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: IPX: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: ETHLOOP: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: EAPOL: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: ARP: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: FRAG 6: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: FRAG: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: ICMPdis: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: UDPdisc: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: TCPdisc: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: ICMP: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: UDP: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: TCP: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: ICMP-IP: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: ICMP6: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: UDP 6: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: TCP 6: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: IP4disc: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: IP4: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: IP6disc: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: IP6opts: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: IP6 EXT: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: IPV6: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: VLAN: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: ETHdisc: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: ETH: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: Packet breakdown by protocol (includes rebuilt packets):
    Oct 15 12:03:13 	barnyard2[42849]: ===============================================================================
    Oct 15 12:03:13 	barnyard2[42849]: Suppressed: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: Unknown: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: Packets: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: Events: 0 (0.000%)
    Oct 15 12:03:13 	barnyard2[42849]: Records: 0
    Oct 15 12:03:13 	barnyard2[42849]: Record Totals:
    Oct 15 12:03:13 	barnyard2[42849]: ===============================================================================
    Oct 15 12:03:13 	barnyard2[42849]: Barnyard2 exiting
    Oct 15 12:03:13 	barnyard2[42849]: *** Caught Term-Signal
    Oct 15 12:03:10 	php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN...
    Oct 15 12:03:07 	php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN ...
    Oct 15 12:03:07 	php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date...
    Oct 15 12:03:05 	php: snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
    Oct 15 12:03:04 	php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
    Oct 15 12:03:03 	php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules are up to date...
    Oct 15 00:05:02 	barnyard2[42849]: Waiting for new spool file
    Oct 15 00:05:02 	barnyard2[42849]: Barnyard2 initialization completed successfully (pid=42849)
    Oct 15 00:05:02 	barnyard2[42849]: --== Initialization Complete ==--
    Oct 15 00:05:02 	barnyard2[42849]:
    Oct 15 00:05:02 	barnyard2[42849]: PID path stat checked out ok, PID path set to /var/run
    Oct 15 00:05:02 	barnyard2[42849]: Daemon initialized, signaled parent pid: 42742
    Oct 15 00:05:02 	barnyard2[42742]: Daemon parent exiting
    Oct 15 00:05:02 	barnyard2[42742]: Initializing daemon mode
    Oct 15 00:05:02 	barnyard2[42742]: Barnyard2 spooler: Event cache size set to [8192]
    Oct 15 00:05:01 	barnyard2[42742]: ---------------------------- +[ Signature Suppress list ]+
    Oct 15 00:05:01 	barnyard2[42742]: +[No entry in Signature Suppress List]+
    Oct 15 00:05:01 	barnyard2[42742]: +[ Signature Suppress list ]+ ----------------------------
    Oct 15 00:05:01 	barnyard2[42742]: Found pid path directive (/var/run)
    Oct 15 00:05:01 	barnyard2[42742]: Initializing Output Plugins!
    Oct 15 00:05:01 	barnyard2[42742]: Initializing Input Plugins!
    Oct 15 00:05:01 	barnyard2[42742]: --== Initializing Barnyard2 ==--
    Oct 15 00:05:01 	barnyard2[42742]:
    Oct 15 00:05:01 	barnyard2[42742]: Running in Continuous mode
    Oct 15 00:05:01 	barnyard2[42742]: Found pid path directive (/var/run)
    Oct 15 00:05:00 	check_reload_status: Syncing firewall
    Oct 15 00:04:59 	php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
    Oct 15 00:04:59 	php: snort_check_for_rule_updates.php: [Snort] Snort has restarted with your new set of rules...
    Oct 15 00:04:54 	barnyard2[29786]: ===============================================================================
    Oct 15 00:04:54 	barnyard2[29786]: Total: 0
    Oct 15 00:04:54 	barnyard2[29786]: S5 G 2: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: S5 G 1: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: InvChkSum: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: DISCARD: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: OTHER: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: MPLS: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: GRE LOOP: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: GRE IPX: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: GRE ARP: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: GRE PPTP: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: GRE IP6 E: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: GRE IPv6: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: GRE IPv4: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: GRE VLAN: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: GRE ETH: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: GRE: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: IPv6/IPv6: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: IPv6/IPv4: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: IPv4/IPv6: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: IPv4/IPv4: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: IPX: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: ETHLOOP: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: EAPOL: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: ARP: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: FRAG 6: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: FRAG: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: ICMPdis: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: UDPdisc: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: TCPdisc: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: ICMP: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: UDP: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: TCP: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: ICMP-IP: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: ICMP6: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: UDP 6: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: TCP 6: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: IP4disc: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: IP4: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: IP6disc: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: IP6opts: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: IP6 EXT: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: IPV6: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: VLAN: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: ETHdisc: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: ETH: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: Packet breakdown by protocol (includes rebuilt packets):
    Oct 15 00:04:54 	barnyard2[29786]: ===============================================================================
    Oct 15 00:04:54 	barnyard2[29786]: Suppressed: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: Unknown: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: Packets: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: Events: 0 (0.000%)
    Oct 15 00:04:54 	barnyard2[29786]: Records: 0
    Oct 15 00:04:54 	barnyard2[29786]: Record Totals:
    Oct 15 00:04:54 	barnyard2[29786]: ===============================================================================
    Oct 15 00:04:54 	barnyard2[29786]: Barnyard2 exiting
    Oct 15 00:04:54 	barnyard2[29786]: *** Caught Term-Signal
    Oct 15 00:04:52 	php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN...
    Oct 15 00:04:48 	php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN ...
    Oct 15 00:04:43 	php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
    Oct 15 00:04:38 	php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
    Oct 15 00:04:36 	php: snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules are up to date...
    Oct 15 00:04:35 	php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
    Oct 15 00:03:04 	php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2962.tar.gz...
    Oct 14 23:00:04 	php: pfblocker.php: [pfblocker] pfblocker_xmlrpc_sync.php is starting.
    Oct 14 23:00:04 	check_reload_status: Reloading filter
    Oct 14 23:00:04 	check_reload_status: Syncing firewall
    Oct 14 23:00:00 	php: pfblocker.php: Starting pfBlocker sync process.
    Oct 14 16:21:30 	barnyard2[29786]: Waiting for new spool file
    Oct 14 16:21:30 	barnyard2[29786]: Barnyard2 initialization completed successfully (pid=29786)
    Oct 14 16:21:30 	barnyard2[29786]: --== Initialization Complete ==--
    Oct 14 16:21:30 	barnyard2[29786]:
    Oct 14 16:21:30 	barnyard2[29786]: PID path stat checked out ok, PID path set to /var/run
    Oct 14 16:21:30 	barnyard2[29786]: Daemon initialized, signaled parent pid: 29563
    Oct 14 16:21:30 	barnyard2[29563]: Daemon parent exiting
    Oct 14 16:21:30 	barnyard2[29563]: Initializing daemon mode
    Oct 14 16:21:30 	barnyard2[29563]: Barnyard2 spooler: Event cache size set to [8192]
    Oct 14 16:21:30 	barnyard2[29563]: ---------------------------- +[ Signature Suppress list ]+
    Oct 14 16:21:30 	barnyard2[29563]: +[No entry in Signature Suppress List]+
    Oct 14 16:21:30 	barnyard2[29563]: +[ Signature Suppress list ]+ ----------------------------
    Oct 14 16:21:30 	barnyard2[29563]: Found pid path directive (/var/run)
    Oct 14 16:21:30 	barnyard2[29563]: Initializing Output Plugins!
    Oct 14 16:21:30 	barnyard2[29563]: Initializing Input Plugins!
    Oct 14 16:21:30 	barnyard2[29563]: --== Initializing Barnyard2 ==--
    Oct 14 16:21:30 	barnyard2[29563]:
    Oct 14 16:21:30 	barnyard2[29563]: Running in Continuous mode
    Oct 14 16:21:30 	barnyard2[29563]: Found pid path directive (/var/run)
    Oct 14 16:21:25 	barnyard2[25601]: ---------------------------- +[ Signature Suppress list ]+
    Oct 14 16:21:25 	barnyard2[25601]: +[No entry in Signature Suppress List]+
    Oct 14 16:21:25 	barnyard2[25601]: +[ Signature Suppress list ]+ ----------------------------
    Oct 14 16:21:25 	barnyard2[25601]: Found pid path directive (/var/run)
    Oct 14 16:21:25 	barnyard2[25601]: Initializing Output Plugins!
    Oct 14 16:21:25 	barnyard2[25601]: Initializing Input Plugins!
    Oct 14 16:21:25 	barnyard2[25601]: --== Initializing Barnyard2 ==--
    Oct 14 16:21:25 	barnyard2[25601]:
    Oct 14 16:21:25 	barnyard2[25601]: Running in Continuous mode
    Oct 14 16:21:25 	barnyard2[25601]: Found pid path directive (/var/run)
    Oct 14 16:21:25 	barnyard2[22850]: ===============================================================================
    Oct 14 16:21:25 	barnyard2[22850]: Total: 0
    Oct 14 16:21:25 	barnyard2[22850]: S5 G 2: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: S5 G 1: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: InvChkSum: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: DISCARD: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: OTHER: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: MPLS: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: GRE LOOP: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: GRE IPX: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: GRE ARP: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: GRE PPTP: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: GRE IP6 E: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: GRE IPv6: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: GRE IPv4: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: GRE VLAN: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: GRE ETH: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: GRE: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: IPv6/IPv6: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: IPv6/IPv4: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: IPv4/IPv6: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: IPv4/IPv4: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: IPX: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: ETHLOOP: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: EAPOL: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: ARP: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: FRAG 6: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: FRAG: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: ICMPdis: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: UDPdisc: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: TCPdisc: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: ICMP: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: UDP: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: TCP: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: ICMP-IP: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: ICMP6: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: UDP 6: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: TCP 6: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: IP4disc: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: IP4: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: IP6disc: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: IP6opts: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: IP6 EXT: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: IPV6: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: VLAN: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: ETHdisc: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: ETH: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: Packet breakdown by protocol (includes rebuilt packets):
    Oct 14 16:21:25 	barnyard2[22850]: ===============================================================================
    Oct 14 16:21:25 	barnyard2[22850]: Suppressed: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: Unknown: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: Packets: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: Events: 0 (0.000%)
    Oct 14 16:21:25 	barnyard2[22850]: Records: 0
    Oct 14 16:21:25 	barnyard2[22850]: Record Totals:
    Oct 14 16:21:25 	barnyard2[22850]: ===============================================================================
    Oct 14 16:21:25 	barnyard2[22850]: Barnyard2 exiting
    Oct 14 16:21:25 	barnyard2[22850]: *** Caught Term-Signal
    Oct 14 16:21:24 	barnyard2[22850]: Waiting for new spool file
    Oct 14 16:21:24 	barnyard2[22850]: Barnyard2 initialization completed successfully (pid=22850)
    Oct 14 16:21:24 	barnyard2[22850]: --== Initialization Complete ==--
    Oct 14 16:21:24 	barnyard2[22850]:
    Oct 14 16:21:24 	barnyard2[22850]: PID path stat checked out ok, PID path set to /var/run
    Oct 14 16:21:24 	barnyard2[22850]: Daemon initialized, signaled parent pid: 22505
    Oct 14 16:21:24 	barnyard2[22505]: Daemon parent exiting
    Oct 14 16:21:24 	barnyard2[22505]: Initializing daemon mode
    Oct 14 16:21:24 	barnyard2[22505]: Barnyard2 spooler: Event cache size set to [8192]
    Oct 14 16:21:23 	barnyard2[22505]: ---------------------------- +[ Signature Suppress list ]+
    Oct 14 16:21:23 	barnyard2[22505]: +[No entry in Signature Suppress List]+
    Oct 14 16:21:23 	barnyard2[22505]: +[ Signature Suppress list ]+ ----------------------------
    Oct 14 16:21:23 	barnyard2[22505]: Found pid path directive (/var/run)
    Oct 14 16:21:23 	barnyard2[22505]: Initializing Output Plugins!
    Oct 14 16:21:23 	barnyard2[22505]: Initializing Input Plugins!
    Oct 14 16:21:23 	barnyard2[22505]: --== Initializing Barnyard2 ==--
    Oct 14 16:21:23 	barnyard2[22505]:
    Oct 14 16:21:23 	barnyard2[22505]: Running in Continuous mode
    Oct 14 16:21:23 	barnyard2[22505]: Found pid path directive (/var/run)
    Oct 14 16:21:18 	barnyard2[65380]: ===============================================================================
    Oct 14 16:21:18 	barnyard2[65380]: Total: 0
    Oct 14 16:21:18 	barnyard2[65380]: S5 G 2: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: S5 G 1: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: InvChkSum: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: DISCARD: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: OTHER: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: MPLS: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: GRE LOOP: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: GRE IPX: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: GRE ARP: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: GRE PPTP: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: GRE IP6 E: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: GRE IPv6: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: GRE IPv4: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: GRE VLAN: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: GRE ETH: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: GRE: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: IPv6/IPv6: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: IPv6/IPv4: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: IPv4/IPv6: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: IPv4/IPv4: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: IPX: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: ETHLOOP: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: EAPOL: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: ARP: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: FRAG 6: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: FRAG: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: ICMPdis: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: UDPdisc: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: TCPdisc: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: ICMP: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: UDP: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: TCP: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: ICMP-IP: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: ICMP6: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: UDP 6: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: TCP 6: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: IP4disc: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: IP4: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: IP6disc: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: IP6opts: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: IP6 EXT: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: IPV6: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: VLAN: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: ETHdisc: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: ETH: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: Packet breakdown by protocol (includes rebuilt packets):
    Oct 14 16:21:18 	barnyard2[65380]: ===============================================================================
    Oct 14 16:21:18 	barnyard2[65380]: Suppressed: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: Unknown: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: Packets: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: Events: 0 (0.000%)
    Oct 14 16:21:18 	barnyard2[65380]: Records: 0
    Oct 14 16:21:18 	barnyard2[65380]: Record Totals:
    Oct 14 16:21:18 	barnyard2[65380]: ===============================================================================
    Oct 14 16:21:18 	barnyard2[65380]: Barnyard2 exiting
    Oct 14 16:21:18 	barnyard2[65380]: *** Caught Term-Signal
    Oct 14 16:21:16 	check_reload_status: Syncing firewall
    Oct 14 16:21:16 	check_reload_status: Syncing firewall
    

    2. OpenVPN Client Export Utility, pfBlocker, snort, Unbound

    3. Never

    4. Full as always, from a real HDD.

    Thanks


  • Moderator

    @Gradius:

    I'm getting this too:
    ntpd[25761]: setsockopt IPV6_MULTICAST_IF 0 for fe80::215:17ff:fe3e:1b1f%2 fails: Can't assign requested address

    But I don't use IP6 at all.

    Hi Gradius,

    I found this link in the forum, might be related?

    https://forum.pfsense.org/index.php?topic=71584.0



  • When you look under Diagnostics…Tables, do you see a table called "snort2c" in the drop-down list?  If that table is missing, then Snort can't work.

    If you see that table in the drop-down, then the next step is to attempt starting Snort manually to see what it may complain about.  Here's how to do that:

    1.  Open a console or SSH session with the firewall.

    2.  Change to the Snort directory structure using cd /usr/pbi/snort-amd64/etc/snort.

    3.  In that directory you will see one or more sub-directories named with the physical NIC interface name and a random number.  Change into one of those sub-directories.  You may have just one if you have only one interface; otherwise you will have a subdirectory for each configured Snort interface.

    4.  Start Snort manually using this command:

    
    snort -c ./snort.conf
    
    

    5.  See if it prints any error messages while attempting to start.  Post any of those back here.

    Bill



  • Hi,

    I'm getting this:

       Search-Method = AC-BNFA-Q
        Maximum pattern length = 20
        Search-Method-Optimizations = enabled
    ERROR: /usr/pbi/snort-i386/etc/snort/snort_59419_pppoe1/rules/snort.rules(627) Unknown rule option: 'sip_header'.
    Fatal Error, Quitting..
    

    That line contains:

    alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:1;)
    

  • Moderator



  • I decided to remove "sip_header" and now is working except I'm unable to get logs from "Alerts" and "Blocked".  :o



  • I added  the "sip_header" and is working now, but I'm still getting no "Alerts" and "Blocked" messages.

    As for Tables, I'm getting nothing from "snort2c".

    However I'm getting a lot of this: kernel: arpresolve: can't allocate llinfo for 10.52.30.3



  • @Gradius:

    I added  the "sip_header" and is working now, but I'm still getting no "Alerts" and "Blocked" messages.

    As for Tables, I'm getting nothing from "snort2c".

    However I'm getting a lot of this: kernel: arpresolve: can't allocate llinfo for 10.52.30.3

    If you do not see a table called "snort2c" in the drop-down list when you go to Diagnostics…Tables in the pfSense menu, then you will never get blocks because that table must exist for blocks to be inserted into.  And since that is a system table created at boot up, if it's missing on your box, then something is really, really wrong with the installation and probably the config file.

    When you did the reinstall, you said you used the same config file by restoring it.  It might be time to try an install totally and completely from scratch without importing the old configuration.  I know it will be a lot of work to create the configuration again, but if problems came back with the fresh install, that indicates something maybe is wrong with the configuration in that file.

    Bill



  • Hi,

    I don't know how, but it took a while, now is working fine as I had it before.

    Solved!


Log in to reply