Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort no longer starts - rules problem?

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 4 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Slab
      last edited by

      Hi,

      I'm running pfSense 2.01-Release and Snort 2.9.1 pkg v. 2.0.2 …Snort failed to restart after an automatic rules update (or after my attempt to update the rules and restart manually) with the following errors in the system log:

      Jan 20 10:10:18 snort[57080]: WARNING /usr/local/etc/snort/snort_23958_em2/rules/emerging-dos.rules(100) threshold (in rule) is deprecated; use detection_filter instead.
      Jan 20 10:10:18 snort[57080]: WARNING /usr/local/etc/snort/snort_23958_em2/rules/emerging-dos.rules(100) threshold (in rule) is deprecated; use detection_filter instead.
      Jan 20 10:10:21 snort[57080]: FATAL ERROR: /usr/local/etc/snort/snort_23958_em2/rules/snort_web-client.rules(142) ***PortVar Lookup failed on '$FILE_DATA_PORTS'.
      Jan 20 10:10:21 snort[57080]: FATAL ERROR: /usr/local/etc/snort/snort_23958_em2/rules/snort_web-client.rules(142) ***PortVar Lookup failed on '$FILE_DATA_PORTS'.

      Any ideas? Thanks very much….

      1 Reply Last reply Reply Quote 0
      • S
        Slab
        last edited by

        A subsequent search revealed the solution:

        Specifically, I needed to add 'portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]' to 'Advanced configuration pass through' on Snort's 'If Settings' tab via the gui.

        Thx…

        1 Reply Last reply Reply Quote 0
        • D
          darklogic
          last edited by

          I seem to be having the same issue. Snort will get updates automatically and then stop working. Snort seems to be a package that does not work well. Issues with Snort on pfsense has always had issues for years now. I am almost finding the Snort package to be unreliable. Just look at the package fourm section, almost every other post has to do with some sort of Snort issue. Personally I find it hard to believe the package is labeled correctly as being stable.

          1 Reply Last reply Reply Quote 0
          • A
            awsiemieniec
            last edited by

            @Slab:

            A subsequent search revealed the solution:

            Specifically, I needed to add 'portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]' to 'Advanced configuration pass through' on Snort's 'If Settings' tab via the gui.

            Thx…

            Worked for me, too.  I have no idea what I just opened up on my firewall, but it's working.

            Thanks
            AWS

            1 Reply Last reply Reply Quote 0
            • marcellocM
              marcelloc
              last edited by

              @awsiemieniec:

              Worked for me, too.  I have no idea what I just opened up on my firewall, but it's working.

              Nothing at all, you just set a variable That is read by snort.

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.