Snort blocking everthing

Sunday morning, after no recent changes, my shield no longer allowed any device to reach the internet.  (but the update script should have ran)

I powered it off and on, and we had internet for about 10 minutes, before it was completely blocked again.

I went under system-> startup and disabled scripts until I had internet back.  Then I restated and retried with just one script off.  Through this trial and error, I found that if I disabled only snort, that worked.  

I also tried turning snort back in the startup scripts and going to Services -> Intrusion Prevention -> Basic and turning it off, but I still had no internet.  I had to go back to turning that script off.

Anyone have any idea what happened and what I should do to fix it?

Check the end of this thread and see if you have the double 2405000 rule too from the weekend update. It will keep snort from starting.

http://itus.accessinnov.com/Hotfix-160210-td8.html

I took a look.  I found the double-rule and removed it.  I then re-started the shield.  Same issue, though.

Can you post your syslog?

I dis a search in WinSCP and found a file by that name in /usr/lib/lua/luci/view/admin_status.
syslog.htm
There does not seem to be much in it, so not sure if this is the right one.

Your actual system log. In the GUI you can go to status>system log or logread via CLI.

OK, I re-started snort, I rebooted the Shield.  Then once it was back up, I tried to go to about three web sites, and copied the log out of the GUI.
Log.txt

You're having the same problem as others but just a different rule. Rollback to the V5 of the update script and you should be fine until it's resolved:

fw_upgrade.fw_upgrade

I reverted back to the previous upgrade script through WinSCP.  Through the GUI I started a manual update.  After that I rebooted the Shield.  Same problem as before, I had to turn off the snort script to have internet access.

What did I miss?

It probably didn't run because you need internet access first. In your WinSCP go to /etc/snort/rules/snort.rules and open the file. Click on select all, then delete, then save. This will erase your rules. Restart snort either via CLI /etc/init.d/snort restart or in the GUI: system>startup>initscripts>snort restart. You'll get your internet back in a few minutes. You can then run the fw_upgrade to reinstall your ruleset.

Well I did all that.  I could see after the upgrade that snort.rules went from 0 to 1683KB.
Then for good measure I rebooted the Shield.  Back to the same issue.  No internet until I ended the snort script.

I checked snort.rules after that and verified only one 2405000 rule after the update.

Can you post log again please?

I re-started Snort, tried to get to google.com and apple.com.  When I saw they didn't go through, I grabbed the log.

log2.txt

I see snort last restarted at 7:53 but there are no errors in the syslog. Your kernal log may show something though, you can upload that if you want. When snort restarts it's normal to loose connection for a few minutes. Did it restart on it's own or did you do it?

I restarted Snort and then the shield.


So right now I am restarting the shield at 10:23.  After I could log into the Shied again at 10:24, I verified I couldn't get to Google.  I went ahead and left it until 10:30, and then it all worked right.

DOH, guess I was too impatient.  I had assumed (incorrectly) that If I could log into the Shield, that it was ready for internet traffic.

Thanks, I will remember the lesson.