Snort crashed and won't restart correctly
-
I installed snort on my pfsense box yesterday to deal with hacker attempts on my box. I got my oinkmaster code and set everything up to automatically block ip addresses that attempted intrusion for 60min. It was working great, automatically blocking two attempts on my box. However a few hours later there was a power outage and upon restarting, snort was not found. I reinstalled snort and my settings were saved, even though it didn't see it installed. I thought it was working, however this morning I did some intrusion testing from another box in a different local, and it did not detect or autoblock my scans. I tried numerous different types to no avail, it appears that snort is just simply not working. I would like to get this back up very quickly, due to the many attempts I've been getting (probably all the same guy) over the past few days. Thanks for your help!
-
What is your configuration? You should have really a lot of RAM to run Snort smoothly.
-
Its an older 900mhz athlon with 370MBs of ram. I'm not running many rules and the box while it was working (actively blocking ip addresses) still had over 100MBs of ram unused and no swap file usage. It would seem that the ram was sufficent. I imagine it was probably something to do with the power outage and something got reset, as the package was not installed upon reboot, and after that would not run.
-
Well snort appears to be working properly now. It caught an intrusion and blocked the intruder right away. However now I'm getting an error I assume is associated with this log file entry. I will post the alert and the log file entry:
Here's the syslog:
May 31 19:54:57 kernel: xl0: transmission error: 90
May 31 19:54:57 kernel: xl0: tx underrun, increasing tx start threshold to 240 bytesHere's the alert:
[ ** ] [ 116:1:1 ] (snort_decoder) WARNING: Not IPv4 datagram! [ ** ]
05/31-19:32:51.475911[ ** ] [ 116:1:1 ] (snort_decoder) WARNING: Not IPv4 datagram! [ ** ]
05/31-19:32:51.479119[ ** ] [ 116:1:1 ] (snort_decoder) WARNING: Not IPv4 datagram! [ ** ]
05/31-19:32:51.480850[ ** ] [ 116:1:1 ] (snort_decoder) WARNING: Not IPv4 datagram! [ ** ]
05/31-19:32:51.483074There are numerous alerts like this, however they appear to have stopped. I searched for these alerts/logs and found numerous possible explanations and am unsure of what it might be. I hope that someone can help inform me of what this means. Thanks.
-
Can you take a look at my post (right after yours, titled "snort.sh not correctly being updated") and see if it's the same problem? If so, I found a sort of lame workaround, but it works.
Mike -
can you provide the full outoput of the system logs when you start snort?
-
There's a problem with the snort package (or maybe the web configurator?). Sometimes it does not put the full startup command in the snort startup config (/usr/local/etc/rc.d/snort.sh). If you look in that config, it should point to the snort binary, but sometimes after you make a configuration change that entry gets removed.
I've also noticed that the web configurator's service page often does not show the correct status for whether snort is running (or not). The only way to know for sure is to login via ssh and look at the "top" status, or type "ps auxw | grep snort" to see if the process is running.
Also… some of the rulesets do not work at all (snort will not startup). Additionally, if you run too many rules, snort will not start.
It takes a bit of work to get the snort package to work reliably on pfsense.