Snort FATAL ERROR
-
I'm getting this error (Status –> System Logs):
snort[44076]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_21880_em0/rules/snort.rules(4487) Rule options must be enclosed in '(' and ')'.
I have NO IDEA!
-
I'm getting this error (Status –> System Logs):
snort[44076]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_21880_em0/rules/snort.rules(4487) Rule options must be enclosed in '(' and ')'.
I have NO IDEA!
This is a syntax error in a rule. Did this just suddenly start? If so, either Snort VRT or Emerging Threats has a syntax error in one of their new rules. They should catch it and fix it. The error is giving you the line number in the consolidated rules file that the Snort package on pfSense builds.
If you are good with the vi editor, open this file:
/usr/pbi/snort-amd64/etc/snort/snort_21880_em0/rules/snort.rules
in the editor. Type the following command to jump to the error line (which is line #4487):
:4487and press ENTER. The rule with the problem will be displayed. Find the SID and category and you can temporarily disable it if you like.
Bill
-
Thank you Bill, I'm going to force-reload my rules and see if something changes.
Maybe related to this?
https://forum.pfsense.org/index.php?topic=79777.msg435163#msg435163
-
If I could be forgiven to add my sudden problem to this thread ;D
snort[66536]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_14816_em0//usr/pbi/snort-amd64/etc/snort/snort_14816_em0/rules/suricata.rules(0) Unable to open rules file "/usr/pbi/snort-amd64/etc/snort/snort_14816_em0//usr/pbi/snort-amd64/etc/snort/snort_14816_em0/rules/suricata.rules": No such file or directory.
The problem is: I see no line number to jump to in snort.rules.
Problem started early this morning, I think after the last rules update. I can manually restart on an interface, it will run for a little while, and then all interfaces will be disabled again (show red crosses). Restarting -> same problem.
What might this be?
-
There is a double "//" in the path error that you posted.
Looks like the path is repeated twice.There were two updates to Snort. Did you complete the second one also?
-
There is a double "//" in the path error that you posted.
Looks like the path is repeated twice.There were two updates to Snort. Did you complete the second one also?
Yup, I had both the updates, BB :P
No idea how to get rid of these double // :-\
-
Might the snort update be specifically fu** up in (central) Europe? Just a guess after 3 updates going south, 2x nano, 1x i386 full…
https://forum.pfsense.org/index.php?topic=79720.msg435267#msg435267
-
I am not having an issue in NA with Rule-Updates, but I do notice that I can't ping those sites? I check my Firewall and Snort Blocks and I don't see any blocking. Maybe its something to do with snorts re-org of their website? or Amazon?
ping snort.org
PING snort.org (54.210.25.126): 56 data bytes
ping www.snort.org
PING elb043449-1668749068.us-east-1.elb.amazonaws.com (54.243.242.66): 56 data bytesThere is a Snort Google Group where you can post a question:
https://groups.google.com/forum/#!forum/mailing.unix.snort -
You might also try to change the Snort Web Link to use http instead of https, to see if that works?
/usr/local/pkg/snort/snort_check_for_rule_updates.php
-
@Hollander:
If I could be forgiven to add my sudden problem to this thread ;D
snort[66536]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_14816_em0//usr/pbi/snort-amd64/etc/snort/snort_14816_em0/rules/suricata.rules(0) Unable to open rules file "/usr/pbi/snort-amd64/etc/snort/snort_14816_em0//usr/pbi/snort-amd64/etc/snort/snort_14816_em0/rules/suricata.rules": No such file or directory.
The problem is: I see no line number to jump to in snort.rules.
Problem started early this morning, I think after the last rules update. I can manually restart on an interface, it will run for a little while, and then all interfaces will be disabled again (show red crosses). Restarting -> same problem.
What might this be?
Whoa!! That path is seriously borked somehow. Notice it contains both Snort and Suricata in it. That is not supposed to happen. Have you installed both packages on the same firewall? If so, it looks like something got severely mixed up. Installing both is supported and should work, but something is badly wrong in your setup according to that path.
Oh…the double backslash is also a problem.
Have you tried removing and reinstalling the package or packages?
By the way, while running both Snort and Suricata on the same box "should work", I really don't recommend it. And remember if you do run them both, make sure ONLY ONE is in blocking mode!
Bill
-
Have you tried removing and reinstalling the package or packages?
By the way, while running both Snort and Suricata on the same box "should work", I really don't recommend it. And remember if you do run them both, make sure ONLY ONE is in blocking mode!Bill
(The text in bold): No, of course I haven't, your highness, I'm the noob, I don't even invent these kind of ideas ;D
Snort is active, Suricata is disabled on the interfaces. I installed the package some time ago, and the plan was to have Snort active whilst I prepare Suricata for taking over, using JFL's list and your tweaks.
I will de-install Suricata to see if Snort will start again then :P
-
Update: deinstalling Suricata worked. Did it yesterday, Snort is still running on the interfaces after 12 hours. I'll try to install Suricata next to it in order to work on customizing that (when you've done your update) for future replacement of Snort with Suricata.
-
Something is terribly wrong with my pfSense installation… see today message
[ There were error(s) loading the rules: pfctl: DIOCXCOMMIT: Device busy - The line in question reads [0]: ]https://forum.pfsense.org/index.php?topic=79777.msg436662#msg436662
https://forum.pfsense.org/index.php?topic=80033.msg436661#msg436661
-
Something is terribly wrong with my pfSense installation… see today message
[ There were error(s) loading the rules: pfctl: DIOCXCOMMIT: Device busy - The line in question reads [0]: ]If you disable pfBlocker does the issue go away? How are you defining pfBlocker aliases? Do you allow it to create the rules or do you use "alias only" setting?
-
Something is terribly wrong with my pfSense installation… see today message
[ There were error(s) loading the rules: pfctl: DIOCXCOMMIT: Device busy - The line in question reads [0]: ]If you disable pfBlocker does the issue go away? How are you defining pfBlocker aliases? Do you allow it to create the rules or do you use "alias only" setting?
Yes, if I disable pfBlocker the issue goes away. I'm using the Bluetack IPFilter "pipfilter.dat.gz" as a Premium Subscriber. In the "List Action" section of the pfBlocker filter I choose "Deny Both", allowing pfBlocker to build the firewall rules itself.
-
Yes, if I disable pfBlocker the issue goes away. I'm using the Bluetack IPFilter "pipfilter.dat.gz" as a Premium Subscriber. In the "List Action" section of the pfBlocker filter I choose "Deny Both", allowing pfBlocker to build the firewall rules itself.
Some of those BlueTack/IBlock files contain data that can cause the Regex in pfBlocker to match incorrect information. I believe that it is trying to load bad data with pfctl and causing this issue.
What does the file look like in /var/db/aliastables/<name of="" the="" bluetack="" alias=""></name> ?
The data must only be in these formats:
IP Address: 172.16.1.10
CIDR: 172.16.1.0/24 -
Data in the Bluetack IP Filter is in this format (I can't obtain it in other format):
001.002.008.000 - 001.002.008.255 , 000 , China Inte
-
Data in the Bluetack IP Filter is in this format (I can't obtain it in other format):
001.002.008.000 - 001.002.008.255 , 000 , China Inte
Other IBlock lists are in this format:
220.157.195.243-220.157.195.243
So I assume that it doesn't like to have the "spaces" around the "-"
-
You could manually run that file thru a sed command to clean it up. But you would need to do that manually each time you want to update it.
echo "001.002.008.000 - 001.002.008.255 , 000 , China Inte |sed 's/ - /-/g'
001.002.008.000-001.002.008.255 , 000 , China Inte
I could also add some functionality for that in my script if you are interested:
https://forum.pfsense.org/index.php?topic=78062.msg426417#msg426417 -
I'm getting this error (Status –> System Logs):
snort[44076]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_21880_em0/rules/snort.rules(4487) Rule options must be enclosed in '(' and ')'.
I have NO IDEA!
This is a syntax error in a rule. Did this just suddenly start? If so, either Snort VRT or Emerging Threats has a syntax error in one of their new rules. They should catch it and fix it. The error is giving you the line number in the consolidated rules file that the Snort package on pfSense builds.
If you are good with the vi editor, open this file:
/usr/pbi/snort-amd64/etc/snort/snort_21880_em0/rules/snort.rules
in the editor. Type the following command to jump to the error line (which is line #4487):
:4487and press ENTER. The rule with the problem will be displayed. Find the SID and category and you can temporarily disable it if you like.
Bill
I got a very similar error recently.
FATAL ERROR: /usr/local/etc/snort/snort_4180_em0/rules/snort.rules(1239) Rule options must be enclosed in '(' and ')'.I was able to find the line 1239 in the file (shown below),
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"inskin_media";flow:from_client;appid:inskin_media; sid:71780 ; classtype:misc-activity; rev:1;I can't find the specific rule to disable it. I have no idea how to search for SID 71780 in the rule set to disable just that one. I tried adding 71780 to my disablesid.conf, but that didn't help. I tried reinstalling snort as well but that didn't help. Snort was working fine until I got hit with this. I can see there is a close parenthesis missing at the end of that line, but of course changing the file does nothing. It goes right back to the way it was. I assume that's by design, so that no one malicious can go in and modify it. However, this seems like a security flaw. If a single rule update has a syntax error, it prevents snort from starting up at all.
