Snort failing to load rules



  • Have been getting this error since last couple of days. Tried updating my 2.4 snapshot and reinstalled snort on a fresh 2.4 install. Getting the same error.

    Can anyone help me find that 20835 rule which is causing the issue.

    Jan 17 18:15:13 php-fpm 87708 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 4219 -D -q –suppress-config-log -l /var/log/snort/snort_vmx04219 --pid-path /var/run --nolock-pidfile -G 4219 -c /usr/local/etc/snort/snort_4219_vmx0/snort.conf -i vmx0' returned exit code '1', the output was ''
    Jan 17 13:15:13 snort 18792 FATAL ERROR: /usr/local/etc/snort/snort_4219_vmx0/rules/snort.rules(20835) Rule options must be enclosed in '(' and ')'.


  • Banned

    
    $ grep -Rni 'sid:20835' /usr/local/
    /usr/local/etc/suricata/rules/snort_browser-plugins.rules:1759:# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell ZENworks LaunchHelp.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"LaunchHelp.HelpLauncher"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2657; reference:url,www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1; classtype:attempted-user; sid:20835; rev:11;)
    
    


  • Thanks. Appreciate the quick response.

    Not sure but it has something to do with "Snort OPENAPPI Rules". The moment I un-select all the rules under that last column Snort starts but if I enable even one single rule there ..snort fails to load with the same error I posted above.


  • Banned

    Well, I'm using Suricata (but the rules are the same). There's no support for OpenAppID rules there, so… cannot help. Probably better asked in IPS/IDS forum, don't think it's related to 2.4 snapshots.



  • Hmm. makes me think.. should I move to Suricata? Would you recommend it?


  • Banned

    Well, you'd definitely not hit similar issues there, since broken/unsupported rules are just skipped. Otherwise, pretty happy with that, multithreading definitely helps.



  • How about the long list of false positives that I have identified in Snort. Will I have to start from scratch? It took me well over a year to assemble that list.


  • Banned

    Hmmm well, I'm using SID Mgmt - disablesid.conf for any FPs. If you are using something else, not sure… but I guess getting those out of config.xml should be doable as well.



  • Yeah I use the same but I had to suppress the FPs one by one to ensure I am not suppressing the wrong ones. Took some good time. Can I just transfer the Snort FPs to Suricata?


  • Banned

    Yeah definitely, just save the file and paste back to Suricata. The rulesets are the same, so are the SIDs.



  • Awesome! Thanks bud.  :D


Log in to reply