5. Snort failing to load rules

Snort failing to load rules

  • A

    Have been getting this error since last couple of days. Tried updating my 2.4 snapshot and reinstalled snort on a fresh 2.4 install. Getting the same error.

    Can anyone help me find that 20835 rule which is causing the issue.

    Jan 17 18:15:13 php-fpm 87708 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 4219 -D -q –suppress-config-log -l /var/log/snort/snort_vmx04219 --pid-path /var/run --nolock-pidfile -G 4219 -c /usr/local/etc/snort/snort_4219_vmx0/snort.conf -i vmx0' returned exit code '1', the output was ''
    Jan 17 13:15:13 snort 18792 FATAL ERROR: /usr/local/etc/snort/snort_4219_vmx0/rules/snort.rules(20835) Rule options must be enclosed in '(' and ')'.

    0
  • D
    Banned 

    
$ grep -Rni 'sid:20835' /usr/local/
/usr/local/etc/suricata/rules/snort_browser-plugins.rules:1759:# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell ZENworks LaunchHelp.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"LaunchHelp.HelpLauncher"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2657; reference:url,www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1; classtype:attempted-user; sid:20835; rev:11;)
    0
  • A

    Thanks. Appreciate the quick response.

    Not sure but it has something to do with "Snort OPENAPPI Rules". The moment I un-select all the rules under that last column Snort starts but if I enable even one single rule there ..snort fails to load with the same error I posted above.

    0
  • D
    Banned

    Well, I'm using Suricata (but the rules are the same). There's no support for OpenAppID rules there, so… cannot help. Probably better asked in IPS/IDS forum, don't think it's related to 2.4 snapshots.

    0
  • A

    Hmm. makes me think.. should I move to Suricata? Would you recommend it?

    0
  • D
    Banned

    Well, you'd definitely not hit similar issues there, since broken/unsupported rules are just skipped. Otherwise, pretty happy with that, multithreading definitely helps.

    0
  • A

    How about the long list of false positives that I have identified in Snort. Will I have to start from scratch? It took me well over a year to assemble that list.

    0
  • D
    Banned

    Hmmm well, I'm using SID Mgmt - disablesid.conf for any FPs. If you are using something else, not sure… but I guess getting those out of config.xml should be doable as well.

    0
  • A

    Yeah I use the same but I had to suppress the FPs one by one to ensure I am not suppressing the wrong ones. Took some good time. Can I just transfer the Snort FPs to Suricata?

    0
  • D
    Banned

    Yeah definitely, just save the file and paste back to Suricata. The rulesets are the same, so are the SIDs.

    0
  • A

    Awesome! Thanks bud.  :D

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy