Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort FATAL ERROR

    Scheduled Pinned Locked Moved pfSense Packages
    30 Posts 8 Posters 9.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      @panz:

      Yes, if I disable pfBlocker the issue goes away. I'm using the Bluetack IPFilter "pipfilter.dat.gz" as a Premium Subscriber. In the "List Action" section of the pfBlocker filter I choose "Deny Both", allowing pfBlocker to build the firewall rules itself.

      Some of those BlueTack/IBlock files contain data that can cause the Regex in pfBlocker to match incorrect information. I believe that it is trying to load bad data with pfctl and causing this issue.

      What does the file look like in /var/db/aliastables/<name of="" the="" bluetack="" alias=""></name> ?

      The data must only be in these formats:

      IP Address: 172.16.1.10
      CIDR: 172.16.1.0/24

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • panzP
        panz
        last edited by

        Data in the Bluetack IP Filter is in this format (I can't obtain it in other format):

        001.002.008.000 - 001.002.008.255 , 000 , China Inte

        pfSense 2.3.2-RELEASE-p1 (amd64)
        motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          @panz:

          Data in the Bluetack IP Filter is in this format (I can't obtain it in other format):

          001.002.008.000 - 001.002.008.255 , 000 , China Inte

          Other IBlock lists are in this format:

          220.157.195.243-220.157.195.243

          So I assume that it doesn't like to have the "spaces" around the "-"

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            You could manually run that file thru a sed command to clean it up. But you would need to do that manually each time you want to update it.

            echo "001.002.008.000 - 001.002.008.255 , 000 , China Inte |sed 's/ - /-/g'

            001.002.008.000-001.002.008.255 , 000 , China Inte

            I could also add some functionality for that in my script if you are interested:
            https://forum.pfsense.org/index.php?topic=78062.msg426417#msg426417

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • Raffi_R
              Raffi_
              last edited by

              @bmeeks:

              @panz:

              I'm getting this error (Status –> System Logs):

              snort[44076]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_21880_em0/rules/snort.rules(4487) Rule options must be enclosed in '(' and ')'.

              I have NO IDEA!

              This is a syntax error in a rule.  Did this just suddenly start?  If so, either Snort VRT or Emerging Threats has a syntax error in one of their new rules.  They should catch it and fix it.  The error is giving you the line number in the consolidated rules file that the Snort package on pfSense builds.

              If you are good with the vi editor, open this file:

              /usr/pbi/snort-amd64/etc/snort/snort_21880_em0/rules/snort.rules

              in the editor.  Type the following command to jump to the error line (which is line #4487):

              :4487
              

              and press ENTER.  The rule with the problem will be displayed.  Find the SID and category and you can temporarily disable it if you like.

              Bill

              I got a very similar error recently.
              FATAL ERROR: /usr/local/etc/snort/snort_4180_em0/rules/snort.rules(1239) Rule options must be enclosed in '(' and ')'.

              I was able to find the line 1239 in the file (shown below),
              alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"inskin_media";flow:from_client;appid:inskin_media; sid:71780 ; classtype:misc-activity; rev:1;

              I can't find the specific rule to disable it. I have no idea how to search for SID 71780 in the rule set to disable just that one. I tried adding 71780 to my disablesid.conf, but that didn't help. I tried reinstalling snort as well but that didn't help. Snort was working fine until I got hit with this. I can see there is a close parenthesis missing at the end of that line, but of course changing the file does nothing. It goes right back to the way it was. I assume that's by design, so that no one malicious can go in and modify it. However, this seems like a security flaw. If a single rule update has a syntax error, it prevents snort from starting up at all.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                The actual source rules are in /usr/local/etc/snort/rules.  In that folder you will find a file for each rule category.  You can go into that folder with a CLI prompt and use grep to find that particular SID.  Once you fix it in the appropriate file, it will stay "fixed" until the next rule update download.  The file given in the error message is the actual list of enabled rules Snort is using for the interface.  That file is rebuilt from the collection of source rules in the folder I mentioned earlier.  So any change you make in the snort.rules file is immediately overwritten each time you stop/start Snort from the GUI.

                The way Snort treats rule synxtax errors is baked into the binary and has nothing to do with the GUI package.  Suricata is better behaved in this area than Snort.  Suricata will print an error about the offending rule, skip it, and then continue loading the rest of the rules.  Snort complains and dies.

                Bill

                1 Reply Last reply Reply Quote 0
                • Raffi_R
                  Raffi_
                  last edited by

                  Thanks bmeeks, that definitely helped. I now know how to find these errors and correct them. The problem is when I fixed that one, I'm getting another one and another one. What are the chances of multiple rules in multiples files being messed up with syntax errors like this? I find this a bit odd. I'm not gonna sit here trying to fix each one either, this can't be normal.

                  I guess I may have to give Suricata a try. Can I use my snort disablesid.conf in Suricata? I'm not familiar with Suricata at all.

                  1 Reply Last reply Reply Quote 0
                  • T
                    token
                    last edited by

                    Having a similar issue, I wanted to play with layer 7 and downloaded OpenAppID rules and such, when I go to turn on my LAN interface in snort I get

                    FATAL ERROR: /usr/local/etc/snort/snort_29929_igb1/rules/snort.rules(1262) Rule options must be enclosed in '(' and ')'.

                    I go to that path and fix line 1263 (missing a  )  at the end) and the edit doesn't stick when I go to start the interface, come to find out I need to edit the source file but not sure how to find the appropriate file and line.

                    1 Reply Last reply Reply Quote 0
                    • Raffi_R
                      Raffi_
                      last edited by

                      As bmeeks said above,

                      go to /usr/local/etc/snort/rules.

                      via SSH or console shell,
                      grep -rnw  /usr/local/etc/snort/rules -e <pattern>In your case when, you go to line 1262 that line will have an SID number. The pattern to match in your case will be that SID number, so put that number in at the end after '-e'.
                      That should give you the path to the source file that contains the SID number, you can then go in and modify that file and it will keep the change.

                      Good luck, in my case, I solved that one issue and got another and another error. I hope that's not the case for you. I'm in the process of switching to Suricata because of this.</pattern>

                      1 Reply Last reply Reply Quote 0
                      • MacG32M
                        MacG32
                        last edited by

                        The rules contained in this download file are not formatted properly. There are many rules missing proper syntax. If anybody knows who this volunteer is, please contact them to correct the errors in their rules.

                        Note - the AppID Open Rules file is maintained by a volunteer contributor and hosted by the pfSense team. The URL for the file is http://files.pfsense.org/openappid/appid_rules.tar.gz.

                        To correct this problem in the web GUI, go to Services | Snort | Interfaces. Under Actions, select Edit this Snort interface mapping. Click Categories. Underneath 'Enabled Ruleset: Snort OPENAPPI Rules', uncheck all of the boxes. Click Save. Click Snort Interfaces and click the play icon to start the Snort Interface.

                        From what I've seen, Suricata doesn't have the option to enable AppID Open Rules. This option seems only available in Snort.

                        Well, hello there...

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @raffi30:

                          Thanks bmeeks, that definitely helped. I now know how to find these errors and correct them. The problem is when I fixed that one, I'm getting another one and another one. What are the chances of multiple rules in multiples files being messed up with syntax errors like this? I find this a bit odd. I'm not gonna sit here trying to fix each one either, this can't be normal.

                          I guess I may have to give Suricata a try. Can I use my snort disablesid.conf in Suricata? I'm not familiar with Suricata at all.

                          Yes, the SID MGMT files can be easily used in Suricata.  Both Snort and Suricata share almost identical code for the SID MGMT tab.

                          P.S. – as for the errors, my understanding from a third-hand source is the rule maintainer for those OpenAppID rules made some updates recently.  Apparently that's when all the syntax errors crept in.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • Raffi_R
                            Raffi_
                            last edited by

                            The switch to Suricata was pretty simple. In the pfsense webGUI it's mostly identical. It took me a little googling to figure out how to point it to the correct snort tar.gz file, but it seems to be working fine.

                            1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks
                              last edited by

                              @MacG32:

                              The rules contained in this download file are not formatted properly. There are many rules missing proper syntax. If anybody knows who this volunteer is, please
                              From what I've seen, Suricata doesn't have the option to enable AppID Open Rules. This option seems only available in Snort.

                              True … only Snort has OpenAppID functionality.

                              Here is a quick and dirty comparison of Snort and Suricata functionality --

                              OpenAppID (application detection and alerting)
                                  Snort - Yes
                                  Suricata - No

                              Inline IPS Mode (dropping traffic)
                                  Snort - No
                                  Suricata - Yes

                              Multi-threaded Detection Engine
                                Snort - No
                                Suricata - Yes

                              Uses All Snort VRT Rules Without Error
                                  Snort - Yes
                                  Suricata - No (some Snort VRT rules have keywords not recognized by Suricata and will be ignored)

                              Continues Startup After Encountering Rule Syntax Errors
                                  Snort - No
                                  Suricata - Yes

                              In terms of relative protection, both packages are really about equal.  As you can see in the list above, each package has its pros and cons.  If something like application detection and alerting is important to you, then Snort is what you need.  If Inline IPS Mode dropping of packets (as opposed to implementing firewall block rules) is critical for you, then Suricata is what you need (if your NIC supports Netmap operation).  Both packages can use the entire rule set from Emerging Threats (now Proofpoint), but Suricata will ignore about 70-100 Snort VRT rule because of unsupported keywords.  Suricata will print an error about these rules and then skip loading them.

                              Bill

                              1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks
                                last edited by

                                @raffi30:

                                The switch to Suricata was pretty simple. In the pfsense webGUI it's mostly identical. It took me a little googling to figure out how to point it to the correct snort tar.gz file, but it seems to be working fine.

                                Hopefully your Google searching sent you to this Sticky Post in the IDS/IPS forum here:  https://forum.pfsense.org/index.php?topic=124054.0.

                                Bill

                                1 Reply Last reply Reply Quote 0
                                • Raffi_R
                                  Raffi_
                                  last edited by

                                  bmeeks, you're the source of all the information I'm looking for! I literally can't even thank you enough because the forum says I have to wait 1 hour before I can applaud you again :)

                                  I have Suricata in the global settings currently pointing to the snort 29110.tar.gz which I believe is the latest.
                                  I wish I could have stuck with snort, but that startup issue kills the entire IDS. To me, having some kind of IDS is better than not having one at all. I used to have snort setup with the service watchdog in case it crashed (it did that quite often too), but that wouldn't be a good idea in this case because the watchdog would have tried to keep starting it up and it would have kept failing. It would have just sat there in a constant loop eating up resources.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.