Snort: OpenAppID -> Snort doesn't start anymore


  • Hey there!

    As soon as I active OpenAppID-Rules in my Snort configuration (downloading the rules is just working finde) the system will tell me:
    FATAL ERROR: /usr/local/etc/snort/snort_8522_rl0/rules/snort.rules(19371) Rule options must be enclosed in '(' and ')'.

    And the snort service won't start anymore… ideas?

    I just downloaded the rules and actived them for my interface.


  • @user12:

    Hey there!

    As soon as I active OpenAppID-Rules in my Snort configuration (downloading the rules is just working finde) the system will tell me:
    FATAL ERROR: /usr/local/etc/snort/snort_8522_rl0/rules/snort.rules(19371) Rule options must be enclosed in '(' and ')'.

    And the snort service won't start anymore… ideas?

    I just downloaded the rules and actived them for my interface.

    Snort is telling you what is wrong right here:  Rule options must be enclosed in '(' and ')'.  Snort will stop when it encounters any errors in a rule.  The snort.rules file is simply the collection of rules you have chosen from all the categories you have enabled.  To see exactly which rule it does not like, open that file and look on line #19371.  Snort prints the line number of the rule with the syntax error.  The error is caused by the rule writer and not the Snort package itself.

    See my reply this user's problem for more details:  https://forum.pfsense.org/index.php?topic=123883.msg686669#msg686669.

    You should also complain to the rule author (at the site where you are downloading the OpenAppID rules) to let him or her know the rule is defective.  I wish the Snort VRT developers would have Snort operate like Suricata and just log a syntax error, skip the bad rule, and go on to the next one instead of stopping with a Fatal Error as it does now.  Stopping with the fatal error leaves you totally unprotected, while skipping a rule or two would still leave you with some protection in place.

    Bill