Snort just completely and randomly has stopped working
-
You're not the only one I am also getting the same thing.
Temp fix:
Turn on SCADA Modbus detection preprocessor….
-
Yep, just tried this before you posted and fixed.
Thought I was going nuts.
Thanks!
-
Turn on SCADA Modbus detection preprocessor….
I am also facing this issue currently.
Can you tell me where this setting is located?
Thank you.
-
at the bottom of Preprocs of the interface
-
I'm running the latest version and having the same problem. Snort refuse to run. I tried a reinstall without success.
FATAL ERROR: …......... Unknown rule option:'modbus_data'
-
-
It appears to be related with today's Snort update. As others have said, you can fix it by enabling SCADA preprocessor. Another way to fix it is to disable SCADA rules from your interface category. There are four SCADA rules which need to be unchecked.
-
It appears to be related with today's Snort update. As others have said, you can fix it by enabling SCADA preprocessor. Another way to fix it is to disable SCADA rules from your interface category. There are four SCADA rules which need to be unchecked.
I had this same issue early this morning.
Running with IPS Security policy. I simply enabled Modbus Detection, not DNP3 detection from preprocessors, and Snort worked again.
Default option is not checked for both of these.
Yes, looks like it's somehow related to the last Snort rule update.
-
Yes, this would be an error I suspect from the Snort VRT rule authors. SCADA rules are quite specific to industrial control systems, so no applicability to general business stuff. Rules for SCADA will reference industrial control terms. MODBUS is a type of industrial control protocol (think like HTTP for web traffic as a more familiar analogy). I've said this before, Snort has preprocessors which are required to be loaded in order for certain rule signature options to be "understood" by Snort. In this case somebody accidentally included some rules that contain the "modbus_data" rule option keyword. Snort can only understand this keyword when the SCADA preprocessor is enabled and loaded. Since 99.5% of pfSense users probably don't have SCADA in their networks protected by Snort and pfSense, that preprocessor is disabled by default. Hence the failure to start errors. Two solutions have been given in this thread, and either will work.
This kind of thing is one area where Suricata has a better implementation. As you see in this thread, when Snort encounters a rule signature issue it just errors out and quits! Suricata, on the other hand, will print an error, skip loading the offending signature and continue on with the next one. The Sourcefire folks should fix Snort to do this IMHO.
Bill
-
Oh shoot, wish I'd looked here first, thought I'd broken my snort config when I was playing with barnyard2 :(
Time Process PID Message
May 17 19:34:19 SnortStartup 70809 Snort START for IOT Interface(10483_igb0_vlan4)…
May 17 19:34:19 snort 66867 FATAL ERROR: /usr/local/etc/snort/snort_14201_igb0_vlan3/rules/snort.rules(15733) Unknown rule option: 'modbus_data'.
May 17 19:34:09 SnortStartup 66577 Snort START for GUEST Interface(14201_igb0_vlan3)...
May 17 19:34:09 snort 36751 FATAL ERROR: /usr/local/etc/snort/snort_51260_igb0_vlan2/rules/snort.rules(15726) Unknown rule option: 'modbus_data'.
May 17 19:33:59 SnortStartup 36642 Snort START for USER Interface(51260_igb0_vlan2)...Even did a recovery from a few days ago to see if that would fix it.
-
Figured it was now a good time to try out Suricata :)