Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort error when activating rules

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      cjbujold
      last edited by

      Getting an error when enabling new rules.  How can I fix this?

      snort[23722]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2472_em0_vlan35/rules/snort.rules(10791) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o

      php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 2472 -D -q -l /var/log/snort/snort_em0_vlan352472 –pid-path /var/run --nolock-pidfile -G 2472 -c /usr/pbi/snort-amd64/etc/snort/snort_2472_em0_vlan35/snort.conf -i em0_vlan35' returned exit code '1', the output was ''

      Thanks

      cjb

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by

        @cjbujold:

        Getting an error when enabling new rules.  How can I fix this?

        snort[23722]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2472_em0_vlan35/rules/snort.rules(10791) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o

        php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 2472 -D -q -l /var/log/snort/snort_em0_vlan352472 –pid-path /var/run --nolock-pidfile -G 2472 -c /usr/pbi/snort-amd64/etc/snort/snort_2472_em0_vlan35/snort.conf -i em0_vlan35' returned exit code '1', the output was ''

        Thanks

        cjb

        This is caused by a syntax error in a rule.  In this particular case, it is the rule on line #10,791 in the file file:

        /usr/pbi/snort-amd64/etc/snort/snort_2472_em0_vlan35/rules/snort.rules

        My guess is this may be an Emerging Threats rule.  There was one of those rules that has had a pcre syntax error in it for quite a long time.  Use vi to find the line number in the file and get the GID:SID, and then disable that rule for the short term.  You can report the issue to the rule author as well if you wish.

        Bill

        1 Reply Last reply Reply Quote 0
        • C Offline
          cjbujold
          last edited by

          Thanks de-activate the rule and everything now works.  The rule # giving the problem is in emerging web-clients rule# 2011695.

          cjb

          1 Reply Last reply Reply Quote 0
          • bmeeksB Offline
            bmeeks
            last edited by

            @cjbujold:

            Thanks de-activate the rule and everything now works.  The rule # giving the problem is in emerging web-clients rule# 2011695.

            cjb

            That rule is disabled by default in both ET-Open and ET-Pro packages, so that's why not too many people run in to the syntax error.  I think it has been reported a number of times, but so far has not been fixed by the authors.  You can fix the error by deleting the backslash in front of the phrase "\object.data" so the pcre expression looks like this instead:

            
"(obj.data|object.data).+file\x3A\x2F\x2F127\x2E[0-9]"

            Of course the next time your box downloads an updated Emerging Threats rules package your edit would be overwritten.  You could paste the "corrected" rule in as a custom rule and just leave it in the default disabled state in the ET web-client package.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.