Added 2nd Interface on Snort 2.9.6.0 pkg v3.0.8 and got "no-go" until…..

keasley

FYI

I added another instance of snort to my LAN using https://forum.pfsense.org/index.php?topic=61018.0 and following https://forum.pfsense.org/index.php?topic=64674.75 for setting up the rules.  When I started snort on the LAN interface "no go".

Check the systems logs and got:

php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 63439 -D -q -l /var/log/snort/snort_em163439 –pid-path /var/run --nolock-pidfile -G 63439 -c /usr/pbi/snort-i386/etc/snort/snort_63439_em1/snort.conf -i em1' returned exit code '1', the output was ''

AND

snort[87163]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_63439_em1/rules/snort.rules(8181) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o.

Search the forum and found this https://forum.pfsense.org/index.php?topic=63723.15 on the last post by "zonian18", I did what he did, disabled rule 2011695 ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt Disclosure Attempt.

Clicked on red X on the LAN interface, several seconds later all is good.  The WAN interface never had this issue, even with the all recommended  categories and rules by (bmeeks).  Just the LAN interface.

Many Thanks to everyone :D