Snort Fatal Error



  • I just setup Snort on 2.2 and I get the following error in the logs when I try to start it:

    php-fpm[84074]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-i386/bin/snort -R 45986 -D -q –suppress-config-log -l /var/log/snort/snort_fxp045986 --pid-path /var/run --nolock-pidfile -G 45986 -c /usr/pbi/snort-i386/etc/snort/snort_45986_fxp0/snort.conf -i fxp0' returned exit code '1', the output was ''
    snort[77151]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_45986_fxp0/snort.conf(6) !any is not allowed in EXTERNAL_NET
    php-fpm[84074]: /snort/snort_interfaces.php: [Snort] Snort START for WAN_PORT_5(fxp0)…

    Any ideas what I can check here? Below is the first part of snort.conf:

    Edit: Conf file exert removed at Sparkynerd's request.



  • "::" probably shouldn't be on either list?



  • @fragged is correct.  That "::" address is an invalid and empty IPv6 address.  What kinds of interfaces do you have Snort running on?  I mean, for example, do you have VLANs, something strange on the WAN other than standard DHCP or static addressing, etc.  We need to figure out where that bogus "::" address is coming from.  It is being picked up by Snort from some defined interface in the configuration.

    Bill



  • Thanks for the help! To answer your questions:

    What kinds of interfaces do you have Snort running on?

    ~ Snort is currently running only on the WAN port (fxp0)

    do you have VLANs

    ~ I do have (2) VLANs {VLAN2 - opt4 - em3, VLAN3 - opt5 - em3}. Both are assigned to the LAN port (opt2 - em3) of this device.

    something strange on the WAN other than standard DHCP or static addressing, etc

    ~ WAN port is standard setup, DHCP, nothing special. IPV6 is also setup as DHCP, but I dont use IPV6. Should this be disabled?

    The (2) VLANs on opt2 are connected to a managed switch with the same (2) VLANs, and there is a wireless access point also connected to this managed switch with those same (2) VLANs.

    To ask a noob question, what would happen if I remove the :: from the config file? Also, what do the "!" signify in the config file / external net section? It seems strange that the error is "FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_45986_fxp0/snort.conf(6) !any is not allowed in EXTERNAL_NET"



  • You guys are GENIUS! Just to take a chance, I disabled IPV6 on my WAN, rebooted, and ba-bam! It's working now! Thanks!  ;D


Log in to reply