Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort: OpenAppID -> Snort doesn't start anymore

    IDS/IPS
    2
    2
    791
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      user12 last edited by

      Hey there!

      As soon as I active OpenAppID-Rules in my Snort configuration (downloading the rules is just working finde) the system will tell me:
      FATAL ERROR: /usr/local/etc/snort/snort_8522_rl0/rules/snort.rules(19371) Rule options must be enclosed in '(' and ')'.

      And the snort service won't start anymore… ideas?

      I just downloaded the rules and actived them for my interface.

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        @user12:

        Hey there!

        As soon as I active OpenAppID-Rules in my Snort configuration (downloading the rules is just working finde) the system will tell me:
        FATAL ERROR: /usr/local/etc/snort/snort_8522_rl0/rules/snort.rules(19371) Rule options must be enclosed in '(' and ')'.

        And the snort service won't start anymore… ideas?

        I just downloaded the rules and actived them for my interface.

        Snort is telling you what is wrong right here:  Rule options must be enclosed in '(' and ')'.  Snort will stop when it encounters any errors in a rule.  The snort.rules file is simply the collection of rules you have chosen from all the categories you have enabled.  To see exactly which rule it does not like, open that file and look on line #19371.  Snort prints the line number of the rule with the syntax error.  The error is caused by the rule writer and not the Snort package itself.

        See my reply this user's problem for more details:  https://forum.pfsense.org/index.php?topic=123883.msg686669#msg686669.

        You should also complain to the rule author (at the site where you are downloading the OpenAppID rules) to let him or her know the rule is defective.  I wish the Snort VRT developers would have Snort operate like Suricata and just log a syntax error, skip the bad rule, and go on to the next one instead of stopping with a Fatal Error as it does now.  Stopping with the fatal error leaves you totally unprotected, while skipping a rule or two would still leave you with some protection in place.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post