Snort failing to load rules

2.4 Development Snapshots
Log in to reply
  • A

    Have been getting this error since last couple of days. Tried updating my 2.4 snapshot and reinstalled snort on a fresh 2.4 install. Getting the same error.

    Can anyone help me find that 20835 rule which is causing the issue.

    Jan 17 18:15:13 php-fpm 87708 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 4219 -D -q –suppress-config-log -l /var/log/snort/snort_vmx04219 --pid-path /var/run --nolock-pidfile -G 4219 -c /usr/local/etc/snort/snort_4219_vmx0/snort.conf -i vmx0' returned exit code '1', the output was ''
    Jan 17 13:15:13 snort 18792 FATAL ERROR: /usr/local/etc/snort/snort_4219_vmx0/rules/snort.rules(20835) Rule options must be enclosed in '(' and ')'.

    0
  • D
    Banned 

    
$ grep -Rni 'sid:20835' /usr/local/
/usr/local/etc/suricata/rules/snort_browser-plugins.rules:1759:# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell ZENworks LaunchHelp.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"LaunchHelp.HelpLauncher"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2657; reference:url,www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1; classtype:attempted-user; sid:20835; rev:11;)
    0
  • A

    Thanks. Appreciate the quick response.

    Not sure but it has something to do with "Snort OPENAPPI Rules". The moment I un-select all the rules under that last column Snort starts but if I enable even one single rule there ..snort fails to load with the same error I posted above.

    0
  • D
    Banned

    Well, I'm using Suricata (but the rules are the same). There's no support for OpenAppID rules there, so… cannot help. Probably better asked in IPS/IDS forum, don't think it's related to 2.4 snapshots.

    0
  • A

    Hmm. makes me think.. should I move to Suricata? Would you recommend it?

    0
  • D
    Banned

    Well, you'd definitely not hit similar issues there, since broken/unsupported rules are just skipped. Otherwise, pretty happy with that, multithreading definitely helps.

    0
  • A

    How about the long list of false positives that I have identified in Snort. Will I have to start from scratch? It took me well over a year to assemble that list.

    0
  • D
    Banned

    Hmmm well, I'm using SID Mgmt - disablesid.conf for any FPs. If you are using something else, not sure… but I guess getting those out of config.xml should be doable as well.

    0
  • A

    Yeah I use the same but I had to suppress the FPs one by one to ensure I am not suppressing the wrong ones. Took some good time. Can I just transfer the Snort FPs to Suricata?

    0
  • D
    Banned

    Yeah definitely, just save the file and paste back to Suricata. The rulesets are the same, so are the SIDs.

    0
  • A

    Awesome! Thanks bud.  :D

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy