Snort not starting due to rules errors 24-02-2010
-
Any update on this? I still can't enable a bunch of rules or it breaks. I'm scared to run an update on my friend's pfsense that I built for him, as the updated rule will more than likely break his rules also.
-
TreeTopFlyer
/usr/local/etc/snort/rules/porn.rules is not a snort.org rule or emergingthreats.net rule. Please remove said file and your updates will work.
Maybe a wrong rule got add by snort.org. The Current rule downloads do not have porn.rules.Though if you want that rule just add kickass-porn to clasification.config in the dir /usr/local/etc/snort/rules.
Then do an update.James
-
Updated today. registered rules.
snort[21022]: FATAL ERROR: Warning: /usr/local/etc/snort/rules/netbios.rules(80) => Unknown keyword ' detection_filter' in rule!
-
Tester
Do me a fav, post line 80 from this file /usr/local/etc/snort/rules/netbios.rules.
Does it match this.
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2924; rev:3;)
If so the old snort package has to be moved to snort versiion 2.8.5.3.
-
my freebsd skills suck, but I did vi in and get this info….
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure";
flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1
; content:"m|00 00 C0|"; within:4; detection_filter:track by_dst,count 10,seconds 60; clas
stype:unsuccessful-user; sid:2924; rev:4;)does that help?
-
tester_02
Thanks for the help tester. Yes, seems snort.org rules are for the current 2.8.5.x binary.
Its cool I'll just up date the binaries after testing today.
James
-
Good to see you back, jamesdean.
Question…I always have to reconfigure Snort when there's a new version. Any way to maintain the old settings with a new version?
-
Good to see you back, jamesdean.
Question…I always have to reconfigure Snort when there's a new version. Any way to maintain the old settings with a new version?
You should be able use Diagnostics: Backup/restore tab and select Package Manager.
I should add this to the FAQ.
Thanx for the support Roodawakening.
Always glad to see a old pfsense user here.
James
-
James
Concerning the porn.rules issue, I uninstalled the Snort package, cleaned the config.xml of Snort related data, rebooted, re-installed Snort and dl'ed the new ruleset. Porn.rules was no longer an option under categories and everything is running fine now. I have always used just the standard oink code rules and porn.rules was always an option under categories and ran fine. I did notice when I cleaned out the config.xml that porn.rules was listed in there even though I had de-selected it.
Thanx again for all your help.
-
Err. I am an idiot. I saw this today and still allowed it to update today.
"Snort rule packages for Subscribers and Registered Users track the latest patch release for any major version. This means that rule packages may make use of features that only exist in the latest version of Snort. A simple example is: If 2.8.4 is the current version of Snort then the snortrules-snapshot-2.8 packages might use features not available in 2.8.3.2 and earlier."
Going to attempt to remove it from config.xml and reinstall.
-
I got it working again.
1.) As always backup! Diagnostics>Backup/Restore. Go ahead and backup ALL as well as Package Manager
-
Since a few of the Categories were junk or no longer with the recent rules I went ahead and went System>Packages> (Installed Packages)
Go down to the XML icon put your mouse over it first to make sure is saw "Reinstall the packages GUI" -
Check Categories and make sure in is empty
-
Run Update Rules again.
-
Check the system log and see if anything failed
For me I have to comment out this line by adding the # /usr/local/etc/snort/snort.conf
include $RULE_PATH/web-misc.so.rules
- If you still get rule failures disable the rules that are failing one by one. I only had a few that were failing. After that everything works. Just remember not to let I update until the new package can be released.
-
