Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort GUI misleading v- 2.2

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 953 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cjbujold
      last edited by

      Started Snort in V2.2 and gui is misleading on the Dashboard it shows as if Snort is running yet when you go to the snort page it says it is not running.  Which GUI are we supposed to trust?

      When I check the log I see the following error

      snort[12196]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_59307_gif0/rules/snort.rules(11816) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o

      How do I fix?

      2015-01-29_9-11-03.png_thumb
      2015-01-29_9-11-03.png
      2015-01-29_9-11-03.png_thumb
      2015-01-29_9-11-03.png
      2015-01-29_9-10-44.png_thumb
      2015-01-29_9-10-44.png

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @cjbujold:

        Started Snort in V2.2 and gui is misleading on the Dashboard it shows as if Snort is running yet when you go to the snort page it says it is not running.  Which GUI are we supposed to trust?

        When I check the log I see the following error

        snort[12196]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_59307_gif0/rules/snort.rules(11816) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o

        How do I fix?

        I'm guessing you have Snort running on multiple interfaces.  I see at least two in the screenshots posted.  The SERVICES applet on the dashboard simply does a "pgrep snort" to see if any Snort process is running.  It can be fooled on multiple interface machines if at least one interface is up even if all the others are down.  The other possibility is that you have a zombie Snort process out there.  If the two Snort interfaces in your screenshot are all you have configured, then run this command from the firewall command line to see any Snort processes, then kill all the Snort PIDs displayed:

        
ps -ax | grep snort

        As for your system log error, that means one of the rules you have enabled is corrupt (actually it is formatted with incorrect syntax).  There is one of the Emerging Threats rules that has been this way for more than a year, and folks have been unsuccessful in getting if fixed.  Just disable that rule.  You can find its full text and SID by opening the file /usr/pbi/snort-amd64/etc/snort/snort_59307_gif0/rules/snort.rules and going to line 11816.

        Bill

        1 Reply Last reply Reply Quote 0
        • C
          cjbujold
          last edited by

          Thanks that worked perfectly.

          cjb

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.