Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Fatal Error

    Scheduled Pinned Locked Moved
    IDS/IPS
    3
    5
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sparkynerd
      last edited by

      I just setup Snort on 2.2 and I get the following error in the logs when I try to start it:

      php-fpm[84074]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-i386/bin/snort -R 45986 -D -q –suppress-config-log -l /var/log/snort/snort_fxp045986 --pid-path /var/run --nolock-pidfile -G 45986 -c /usr/pbi/snort-i386/etc/snort/snort_45986_fxp0/snort.conf -i fxp0' returned exit code '1', the output was ''
      snort[77151]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_45986_fxp0/snort.conf(6) !any is not allowed in EXTERNAL_NET
      php-fpm[84074]: /snort/snort_interfaces.php: [Snort] Snort START for WAN_PORT_5(fxp0)…

      Any ideas what I can check here? Below is the first part of snort.conf:

      Edit: Conf file exert removed at Sparkynerd's request.

      1 Reply Last reply Reply Quote 0
      • F
        fragged
        last edited by

        "::" probably shouldn't be on either list?

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @fragged is correct.  That "::" address is an invalid and empty IPv6 address.  What kinds of interfaces do you have Snort running on?  I mean, for example, do you have VLANs, something strange on the WAN other than standard DHCP or static addressing, etc.  We need to figure out where that bogus "::" address is coming from.  It is being picked up by Snort from some defined interface in the configuration.

          Bill

          1 Reply Last reply Reply Quote 0
          • S
            sparkynerd
            last edited by

            Thanks for the help! To answer your questions:

            What kinds of interfaces do you have Snort running on?

            ~ Snort is currently running only on the WAN port (fxp0)

            do you have VLANs

            ~ I do have (2) VLANs {VLAN2 - opt4 - em3, VLAN3 - opt5 - em3}. Both are assigned to the LAN port (opt2 - em3) of this device.

            something strange on the WAN other than standard DHCP or static addressing, etc

            ~ WAN port is standard setup, DHCP, nothing special. IPV6 is also setup as DHCP, but I dont use IPV6. Should this be disabled?

            The (2) VLANs on opt2 are connected to a managed switch with the same (2) VLANs, and there is a wireless access point also connected to this managed switch with those same (2) VLANs.

            To ask a noob question, what would happen if I remove the :: from the config file? Also, what do the "!" signify in the config file / external net section? It seems strange that the error is "FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_45986_fxp0/snort.conf(6) !any is not allowed in EXTERNAL_NET"

            1 Reply Last reply Reply Quote 0
            • S
              sparkynerd
              last edited by

              You guys are GENIUS! Just to take a chance, I disabled IPV6 on my WAN, rebooted, and ba-bam! It's working now! Thanks!  ;D

              1 Reply Last reply Reply Quote 0
              • First post
                Last post