• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort failing to load rules

2.4 Development Snapshots
2
11
1.9k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    asterix
    last edited by Jan 17, 2017, 6:23 PM

    Have been getting this error since last couple of days. Tried updating my 2.4 snapshot and reinstalled snort on a fresh 2.4 install. Getting the same error.

    Can anyone help me find that 20835 rule which is causing the issue.

    Jan 17 18:15:13 php-fpm 87708 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 4219 -D -q –suppress-config-log -l /var/log/snort/snort_vmx04219 --pid-path /var/run --nolock-pidfile -G 4219 -c /usr/local/etc/snort/snort_4219_vmx0/snort.conf -i vmx0' returned exit code '1', the output was ''
    Jan 17 13:15:13 snort 18792 FATAL ERROR: /usr/local/etc/snort/snort_4219_vmx0/rules/snort.rules(20835) Rule options must be enclosed in '(' and ')'.

    1 Reply Last reply Reply Quote 0
    • D
      doktornotor Banned
      last edited by Jan 17, 2017, 6:26 PM

      
      $ grep -Rni 'sid:20835' /usr/local/
      /usr/local/etc/suricata/rules/snort_browser-plugins.rules:1759:# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell ZENworks LaunchHelp.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"LaunchHelp.HelpLauncher"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2657; reference:url,www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1; classtype:attempted-user; sid:20835; rev:11;)
      
      
      1 Reply Last reply Reply Quote 0
      • A
        asterix
        last edited by Jan 17, 2017, 6:55 PM

        Thanks. Appreciate the quick response.

        Not sure but it has something to do with "Snort OPENAPPI Rules". The moment I un-select all the rules under that last column Snort starts but if I enable even one single rule there ..snort fails to load with the same error I posted above.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by Jan 17, 2017, 6:59 PM

          Well, I'm using Suricata (but the rules are the same). There's no support for OpenAppID rules there, so… cannot help. Probably better asked in IPS/IDS forum, don't think it's related to 2.4 snapshots.

          1 Reply Last reply Reply Quote 0
          • A
            asterix
            last edited by Jan 17, 2017, 7:01 PM

            Hmm. makes me think.. should I move to Suricata? Would you recommend it?

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by Jan 17, 2017, 7:04 PM

              Well, you'd definitely not hit similar issues there, since broken/unsupported rules are just skipped. Otherwise, pretty happy with that, multithreading definitely helps.

              1 Reply Last reply Reply Quote 0
              • A
                asterix
                last edited by Jan 17, 2017, 7:08 PM

                How about the long list of false positives that I have identified in Snort. Will I have to start from scratch? It took me well over a year to assemble that list.

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by Jan 17, 2017, 7:16 PM

                  Hmmm well, I'm using SID Mgmt - disablesid.conf for any FPs. If you are using something else, not sure… but I guess getting those out of config.xml should be doable as well.

                  1 Reply Last reply Reply Quote 0
                  • A
                    asterix
                    last edited by Jan 17, 2017, 7:24 PM

                    Yeah I use the same but I had to suppress the FPs one by one to ensure I am not suppressing the wrong ones. Took some good time. Can I just transfer the Snort FPs to Suricata?

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by Jan 17, 2017, 7:26 PM

                      Yeah definitely, just save the file and paste back to Suricata. The rulesets are the same, so are the SIDs.

                      1 Reply Last reply Reply Quote 0
                      • A
                        asterix
                        last edited by Jan 17, 2017, 7:33 PM

                        Awesome! Thanks bud.  :D

                        1 Reply Last reply Reply Quote 0
                        1 out of 11
                        • First post
                          1/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.