[Snort] FATAL ERROR: Frag3 => only one non-bound engine can be specified

Mr. Jingles

G'morning, 't is me again, the eternal noob  ;D

This morning I noticed snort on WAN2 had stopped in the GUI. Restarting it gave the same red cross, yet this in the system logs:

FATAL ERROR: Frag3 => only one non-bound engine can be specified

And a clue:

php: /snort/snort_interfaces.php: [snort] WARNING: unable to resolve IP List Alias 'PIAVPN_SNORT' for Frag3 engine 'piavpn_snort' … using 0.0.0.0 failsafe.

Clue, because: PIAVPN goes over WAN2.

The problem: I don't remember what  I did  :-[

Some time ago I indeed, one way or the other, and on recommendation of somebody or reading a thread (I don't recall anymore -> the brain damage after the accident, short memory is a mess), did manage to get 'PIAVPN_SNORT' into the 'Bind-To IP-address alias' field in the Frag3 preprocessor field.

Yesterday, I was cleaning up a lot of aliasses and I must have deleted it (I've noticed by the way changes you make in Firewall/aliasses do not get updated correctly in Snort).

I have no idea how I created that alias in the first place, since the WAN2 changes dynamically (so I can't add 81.x.x.x. for example, as it will change over time).

Yes, I know, this is your typical noob confused question  ;D

(Sorry - peep  :-[ ).

Would anybody know what I did last time? I'm sure I've read it somewhere, I looked through my bookmarks but can't find the link again, and uncle Google also isn't very helpful.

Thank you in advance  ;D

Bye,

bmeeks

Mr. Jingles:

I don't know what you did last time to make it work, but you have correctly diagnosed the problem.  When Snort can't resolve an alias to an actual specific IP address or range, it will default it to "0.0.0.0".  However, most of the preprocessors consider that the "default" and do not like that specified more than once.  The Snort package already adds a default, so when a configured alias won't resolve you can wind up with two "defaults" and hence the error you see.

I don't use dual WANs, so I can't help you with that setup.  Perhaps another dual-WAN user can assist.

Bill

Mr. Jingles

@bmeeks:

Mr. Jingles:

I don't know what you did last time to make it work, but you have correctly diagnosed the problem.  When Snort can't resolve an alias to an actual specific IP address or range, it will default it to "0.0.0.0".  However, most of the preprocessors consider that the "default" and do not like that specified more than once.  The Snort package already adds a default, so when a configured alias won't resolve you can wind up with two "defaults" and hence the error you see.

I don't use dual WANs, so I can't help you with that setup.  Perhaps another dual-WAN user can assist.

Bill

Thank you Bill  ;D

The dual WAN has worked for months without problems, with Snort. I'm sure it has got something to do with me deleting that alias.

I admit without reservation my writing was rather clumsy in the above.

If I could rephrase: can you perhaps recall writing somewhere an instruction on how to set up an alias to enter in these Frag3 settings? I'm almost sure I followed one of your instructions, but I can't for the life of it find it anymore  :-[

bmeeks

@Mr.:

Thank you Bill  ;D

The dual WAN has worked for months without problems, with Snort. I'm sure it has got something to do with me deleting that alias.

I admit without reservation my writing was rather clumsy in the above.

If I could rephrase: can you perhaps recall writing somewhere an instruction on how to set up an alias to enter in these Frag3 settings? I'm almost sure I followed one of your instructions, but I can't for the life of it find it anymore  :-[
[/quote]

First of all, you must have your Alias defined and working correctly under Firewall > Aliases.

After that first step is finished, then go to the PREPROCESSORS tab for that interface in Snort and add a new FRAG3 engine for that network.  For example, click the plus ( + ) icon to add a new engine.  Give it a meaningful name.  Next click the Aliases button to the right of the Bind-to-IP Address Alias box.

A dialog will open showing available aliases.  Choose the appropriate one and click OK.  You will be returned to the FRAG3 engine dialog.

Customize as necessary any FRAG3 settings and then save the page.

To be sure your alias is working, go back to the FRAG3 engine dialog by clicking the e (edit) icon beside the engine you just configured.  Hover your mouse over the Bind-to-IP Address Alias box (the one with the red background) and a tooltip should appear showing the current value of that alias.  If you get a blank tooltip, then something is wrong with your alias setup.  It should show the IP address or addresses currently associated with that alias.

Bill

A Former User

Did you try using a host in the alias (alias type IP> hosts)? It should get resolved to the IP automatically. Try using that, then using the resulting alias in frag3.

bmeeks

Unfortunately the system calls Snort uses to resolve aliases to IP addresses will not work with FQDN aliases (those defined as a host name only).  Those come back as empty strings, so Snort will substitute the 0.0.0.0 default.

You can only use hard-coded aliases (meaning you assign the IP to the alias when you create it).

Bill

A Former User

So in essense no matter what you use, you can only use static IPs?

Mr. Jingles

@bmeeks:

First of all, you must have your Alias defined and working correctly under Firewall > Aliases.

After that first step is finished, then go to the PREPROCESSORS tab for that interface in Snort and add a new FRAG3 engine for that network.  For example, click the plus ( + ) icon to add a new engine.  Give it a meaningful name.  Next click the Aliases button to the right of the Bind-to-IP Address Alias box.

A dialog will open showing available aliases.  Choose the appropriate one and click OK.  You will be returned to the FRAG3 engine dialog.

Customize as necessary any FRAG3 settings and then save the page.

To be sure your alias is working, go back to the FRAG3 engine dialog by clicking the e (edit) icon beside the engine you just configured.  Hover your mouse over the Bind-to-IP Address Alias box (the one with the red background) and a tooltip should appear showing the current value of that alias.  If you get a blank tooltip, then something is wrong with your alias setup.  It should show the IP address or addresses currently associated with that alias.

Bill

Bill, I owe you more than one apology for the stupid way I asked my questions, wasted your time, since it is clear I confused everybody. Sorry (peep)  :-[

How to create an alias, and enter it in the Frag3 field I of course know. (Again, sorry (peep) for wasting your time).

I am sure I've read somewhere how to get the dynamic VPN-IP into an alias that I next could enter into the Frag3 settings. I am sure, because I am no way smart enough to figure that out myself. And it worked for two months, before I deleted the alias when cleaning up the alias list.

So if it wasn't you who wrote it somewhere, it was somebody else (logic, my favorite class back in university  ;D ;D ;D ).

Sorry to waste your time, Bill, and thank you for your patience for still answering it  :-*

The search for where I found out what to do continues. Of course, if I find it I will report back here 'for future generations'  :)

Mr. Jingles

@jflsakfja:

Did you try using a host in the alias (alias type IP> hosts)? It should get resolved to the IP automatically. Try using that, then using the resulting alias in frag3.

Thank you JFL  ;D

Aside from that Bill below replied that in Snort that won't work: what host name should I enter for a dynamically changing external IP and/or its internal counterpart, the dynamically changing VPN-client IP? It doesn't have a host name (?)

A Former User

@Mr.:

@jflsakfja:

Did you try using a host in the alias (alias type IP> hosts)? It should get resolved to the IP automatically. Try using that, then using the resulting alias in frag3.

Thank you JFL  ;D

Aside from that Bill below replied that in Snort that won't work: what host name should I enter for a dynamically changing external IP and/or its internal counterpart, the dynamically changing VPN-client IP? It doesn't have a host name (?)

I saw bmeeks' reply later on, didn't know that. Learn something new each day?  ;D

There are sites that let you create a hostname for dynamic DNS (eg http://www.dnsdynamic.org/, not a recommendation btw, used purely as an example). My thinking was use something like that, then point the IP to the VPN one, and keep it updated. Since bmeeks said it won't work, it's of no use then.

bmeeks

@jflsakfja:

So in essense no matter what you use, you can only use static IPs?

Yes, unfortunately true.  The Snort binary itself is not geared to do any kind of real time lookup of host to IP address.  There is just too much overhead associated with that when trying to process packets at near wire speed.  This is not just a limitation on pfSense, but would affect Snort on any platform.

BTW, the same is also true for Suricata.

Bill

A Former User

Don't care about real time lookups, but a per minute lookup would be nice to stick into a variable. Just saying… ;)

Can't pfsense's existing setup be used for that? Since the majority will be doing their realtime lookups through unbound, it should be pretty fast, even when used in realtime, with regards to keeping up with traffic.

Not talking about a 10Gbps snort (don't even know if it can push up to that)/suricata looking up a billion IPv6 addresses. Talking about sticking an alias to suricata, having it look up a single (or few) hosts to allow for a VPN for example to be tightened down. Used with an allow only VPN access from this host suricata rule, for example. Yes that can be done with normal pfsense rules, but it's an example.  :D

Sorry for taking over the thread Mr. Jingles, but I fixed it near the end  ;D

bmeeks

@jflsakfja:

Don't care about real time lookups, but a per minute lookup would be nice to stick into a variable. Just saying… ;)

Can't pfsense's existing setup be used for that? Since the majority will be doing their realtime lookups through unbound, it should be pretty fast, even when used in realtime, with regards to keeping up with traffic.

Not talking about a 10Gbps snort (don't even know if it can push up to that)/suricata looking up a billion IPv6 addresses. Talking about sticking an alias to suricata, having it look up a single (or few) hosts to allow for a VPN for example to be tightened down. Used with an allow only VPN access from this host suricata rule, for example. Yes that can be done with normal pfsense rules, but it's an example.  :D

Sorry for taking over the thread Mr. Jingles, but I fixed it near the end  ;D

I have considered perhaps leveraging the filterdns daemon and its alias tables within pfSense to allow some small level of FQDN support for pass list entries.  It would take some significant mods to the way the old Spoink output plugin for Snort has been engineered.  Today it reads a simple text file of IP addresses and stores them in a linked list in memory once at startup.  Whenever a "block or no block" decision is required, that in-memory IP list is scanned to see if the source IP, destination IP or both are in the list.  If true, the block is not inserted into the <snort2c>alias table in pf.  Of course the "which IP to block" setting is also part of the logic.

Bill</snort2c>