Netgate SG-1000 microFirewall

Author Topic: Snort won't start, or will it. <SOLVED>  (Read 7888 times)

0 Members and 1 Guest are viewing this topic.

Offline iraiam

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +2/-0
    • View Profile
Snort won't start, or will it. <SOLVED>
« on: June 13, 2014, 08:05:26 pm »
I have recently noticed a problem with my Snort package. It always says that it's not running. I can hit the start button and it tells me that it was started, and I can find this in the logs.  But I find no other log entries from Snort.

I know it used to work, but I have not made any changes to the Snort config or the WAN interface.

Any Ideas?

Or maybe it's working after all, I see Alert logs? Can I trust it?
« Last Edit: June 18, 2014, 03:58:17 am by iraiam »

Offline iraiam

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +2/-0
    • View Profile
Re: Snort won't start, or will it.
« Reply #1 on: June 14, 2014, 10:11:55 am »
It's not working, I cleared the logs and did a complete Snort re-install, same problem; it says it started but does not stay running, no new alerts are being generated.

I found this in another thread and executed it, but I don't know how to interpret the return.

$   ps aux | grep snort
root   92547  0.0  0.0  9068  1504  ??  S     9:03AM   0:00.00 grep snort

Other than that, I have tried turning off rules down to just a bare minimum, different search methods (currently AC-BNFA), and numerous other settings that have all been returned to default.

I'm stumped.

Offline mais_um

  • Full Member
  • ***
  • Posts: 250
  • Karma: +4/-0
    • View Profile
Re: Snort won't start, or will it.
« Reply #2 on: June 14, 2014, 10:20:04 am »
Hi

If you use pfsense 2.2, snort won't start, sometime yes, do not know why but some restarts or reinstallation without saving settings can put snort "online" . If not (pfsense 2.1.x), someone more into this could help you.
« Last Edit: June 14, 2014, 10:25:49 am by mais_um »
pfSense:
ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

Offline iraiam

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +2/-0
    • View Profile
Re: Snort won't start, or will it.
« Reply #3 on: June 14, 2014, 10:25:18 am »
I'm on 2.1.3-RELEASE  (amd64)

I installed the service watchdog package just to see what happens.  Now I can see that it detects Snort has stopped, but I still get no indication of why Snort stopped.


Offline mais_um

  • Full Member
  • ***
  • Posts: 250
  • Karma: +4/-0
    • View Profile
Re: Snort won't start, or will it.
« Reply #4 on: June 14, 2014, 10:29:29 am »
Best you try reinstall, without saving settings. In global settings you should have "Keep Snort Settings After Deinstall"  uncheck this,  remove package - reinstall package.

Edit: This could be related https://forum.pfsense.org/index.php?topic=78151.0.
« Last Edit: June 14, 2014, 10:34:34 am by mais_um »
pfSense:
ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

Offline iraiam

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +2/-0
    • View Profile
Re: Snort won't start, or will it.
« Reply #5 on: June 14, 2014, 10:34:16 am »
I did that, de-install, reboot, fresh re-install with all blank settings. I then used sticky thread for Snort setup at the top of the packages forum, no love resulted.  The only difference from the sticky was I did not have to obtain an Oinkmaster code, I pasted in the one I already had.

Offline mais_um

  • Full Member
  • ***
  • Posts: 250
  • Karma: +4/-0
    • View Profile
Re: Snort won't start, or will it.
« Reply #6 on: June 14, 2014, 10:39:54 am »
I thought that could be pfsense 2.2 but probably snort problem.

I Use suricata for now but i can't use it in my WAN (pppoe) interface, doesn't go well with pppoe interfaces. Only in Lan, better than nothing
pfSense:
ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

Offline iraiam

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +2/-0
    • View Profile
Re: Snort won't start, or will it.
« Reply #7 on: June 14, 2014, 12:12:59 pm »
Revert back to older Version of PFSense, re-install and configure Snort= No Love
complete fresh install of PFSense and complete re-configure = a lot of work for nothing.

Package removed, not worth any more of my time dealing with it.

Offline iraiam

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +2/-0
    • View Profile
Re: Snort won't start, or will it.
« Reply #8 on: June 18, 2014, 03:56:53 am »
So I was read somewhere that IPv6 is not supported in snort, I was running IPv6 on a couple interfaces, although Snort was not monitoring them.

I changed all interfaces over to IPv4 and re-installed the Snort package.  It works now.

It looks as though if I run IPv6 on ANY interface, Snort will not run, I found this odd because as I said, the interfaces that were running IPv6 were not being monitored by snort.

Is this normal? I could swear that I had been running IPv6 on these interfaces (VLAN Trunks) for some time with no trouble, Snort only looks at my WAN.
« Last Edit: June 18, 2014, 07:00:38 am by iraiam »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3403
  • Karma: +895/-0
    • View Profile
Re: Snort won't start, or will it.
« Reply #9 on: June 18, 2014, 11:01:45 am »
So I was read somewhere that IPv6 is not supported in snort, I was running IPv6 on a couple interfaces, although Snort was not monitoring them.

I changed all interfaces over to IPv4 and re-installed the Snort package.  It works now.

It looks as though if I run IPv6 on ANY interface, Snort will not run, I found this odd because as I said, the interfaces that were running IPv6 were not being monitored by snort.

Is this normal? I could swear that I had been running IPv6 on these interfaces (VLAN Trunks) for some time with no trouble, Snort only looks at my WAN.

Snort works with IPv6 and can block IPv6 as well.  I have it working on my home firewall just fine.  It's Barnyard2 that does not support writing IPv6 to MySQL databases, so there can be issues with that.

Bill

Offline iraiam

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +2/-0
    • View Profile
Re: Snort won't start, or will it.
« Reply #10 on: June 18, 2014, 06:23:58 pm »
So I was read somewhere that IPv6 is not supported in snort, I was running IPv6 on a couple interfaces, although Snort was not monitoring them.

I changed all interfaces over to IPv4 and re-installed the Snort package.  It works now.

It looks as though if I run IPv6 on ANY interface, Snort will not run, I found this odd because as I said, the interfaces that were running IPv6 were not being monitored by snort.

Is this normal? I could swear that I had been running IPv6 on these interfaces (VLAN Trunks) for some time with no trouble, Snort only looks at my WAN.

Snort works with IPv6 and can block IPv6 as well.  I have it working on my home firewall just fine.  It's Barnyard2 that does not support writing IPv6 to MySQL databases, so there can be issues with that.

Bill

Well that certainly muddies thing up a bit more, I don't run Barnyard2 at all, but I did enable it and do a quick set up on it today. Whenever I setup any interface to run IPv6, Snort stops working, it then takes changing back any and all interfaces to IPv4, and a un-install and re-install of Snort to get it working again, color me confused.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3403
  • Karma: +895/-0
    • View Profile
Re: Snort won't start, or will it.
« Reply #11 on: June 19, 2014, 06:18:47 pm »
So I was read somewhere that IPv6 is not supported in snort, I was running IPv6 on a couple interfaces, although Snort was not monitoring them.

I changed all interfaces over to IPv4 and re-installed the Snort package.  It works now.

It looks as though if I run IPv6 on ANY interface, Snort will not run, I found this odd because as I said, the interfaces that were running IPv6 were not being monitored by snort.

Is this normal? I could swear that I had been running IPv6 on these interfaces (VLAN Trunks) for some time with no trouble, Snort only looks at my WAN.

Snort works with IPv6 and can block IPv6 as well.  I have it working on my home firewall just fine.  It's Barnyard2 that does not support writing IPv6 to MySQL databases, so there can be issues with that.

Bill

Well that certainly muddies thing up a bit more, I don't run Barnyard2 at all, but I did enable it and do a quick set up on it today. Whenever I setup any interface to run IPv6, Snort stops working, it then takes changing back any and all interfaces to IPv4, and a un-install and re-install of Snort to get it working again, color me confused.

I use a Hurricane Electric IPv6 tunnel broker account and have an IPv6 network on my LAN (and via the tunnel on my WAN). I have not seen any issues other than Barnyard2 won't log IPv6 addresses to the MySQL database (I use Snorby to accept data from Barnyard2).

Bill

Offline SomeSense

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Snort won't start, or will it. <SOLVED>
« Reply #12 on: August 09, 2015, 09:05:24 am »
**edit** missread - the above post - its not an ipv6 issue.
« Last Edit: August 09, 2015, 11:51:37 am by SomeSense »

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8551
  • Karma: +964/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Snort won't start, or will it. <SOLVED>
« Reply #13 on: August 09, 2015, 09:28:22 am »
System --> Advanced --> Networking --> "allow ipv6" (uncheck this...turn it off).

Soon as I did that snort started working.  Wow ...  There should be prerequisite checker in pfsense (or even a warning on the package) that discloses this.

Ugh?! There is no such prerequisite like IPv6 "disabled". (All that it does is block all IPv6 traffic in packet filter anyway, as written in the GUI.) It's even discussed above (some year ago before your necropost).
Do NOT PM for help!

Offline SomeSense

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Snort won't start, or will it. <SOLVED>
« Reply #14 on: August 09, 2015, 11:44:41 am »
^and turning it off didn't solve the problem.  Still having issues w/ rebooting the firewall and the service not starting back up.

Offline SomeSense

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Snort won't start, or will it. <SOLVED>
« Reply #15 on: August 09, 2015, 12:12:06 pm »
Anybody having this issue also have suricata installed and enabled on the wan interface?

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8551
  • Karma: +964/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Snort won't start, or will it. <SOLVED>
« Reply #16 on: August 09, 2015, 01:24:17 pm »
^and turning it off didn't solve the problem.  Still having issues w/ rebooting the firewall and the service not starting back up.

What do you mean exactly? How are you checking this? This is now started in backgroundl since it takes long to start, depending on HW and configuration.
Do NOT PM for help!

Offline SomeSense

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Snort won't start, or will it. <SOLVED>
« Reply #17 on: August 29, 2015, 08:40:24 pm »
I think I figured out how to fix the bug.  Go into "snort interfaces" and then "wan categories"

Turn off all the categories, then turn any one of them on (just one)....and save it.  Then if you go back into "snort interfaces" it will say the WAN is enabled.  After that, go back into the "wan categories and turn on either all or whatever ones you want one, and it will stay enabled.

Offline Kenton

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Snort won't start, or will it. <SOLVED>
« Reply #18 on: December 31, 2017, 12:27:09 am »
I had this issue with pfSesne 2.4.2 and had no luck fixing the issue with any of the suggestions. Though I do think I have now found out why the WAN interface went down.
As I had set up Snort previously, access to checkip.dyndns.org was noted in the Alerts tab. Enabling a suppression list for the following IP addresses seems to have corrected my connection issues.

suppress gen_id 1, sig_id 2014932, track by_src, ip 91.198.22.70
suppress gen_id 1, sig_id 2014932, track by_src, ip 216.146.38.70
suppress gen_id 1, sig_id 2014932, track by_src, ip 216.146.43.70
suppress gen_id 1, sig_id 2014932, track by_src, ip 216.146.43.71