Snort just completely and randomly has stopped working
-
Hey guys, facing a very very odd issue.
I run Snort with paid subscription, and it's been running 100% flawless since Sept. last year. I do regular config backups, and keep some fresh install ISO's just in case anything happens to my install.
I run LAN and WAN with the IPS policy set to security with my paid code. As of about 5-6pm Today, I'm not sure if there was a sig update, but Snort 100% fails to start now with my paid code. I tried completely reinstalling pfSense on my server, and running my XML config backup to get everything back to where I was, and Snort says it's up until it updates. Only way I can get it to work is if I set IPS to "Connectivity".
I even tried to reinstall and not to a config backup and just try to start fresh, and even with only snort, my oinkcode and putting IPS to security it won't start. Like I said, it was running 100% fine for almost a year and then randomly stopped working today…
Here is some log info...
May 16 22:34:41 php-fpm 90478 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 27828 -D -q --suppress-config-log -l /var/log/snort/snort_bge027828 --pid-path /var/run --nolock-pidfile -G 27828 -c /usr/local/etc/snort/snort_27828_bge0/snort.conf -i bge0' returned exit code '1', the output was ''
May 16 22:34:41 snort 93433 FATAL ERROR: /usr/local/etc/snort/snort_27828_bge0/rules/snort.rules(11989) Unknown rule option: 'modbus_data'.
May 16 22:34:38 php-fpm 90478 /snort/snort_interfaces.php: [Snort] Snort START for WAN(bge0)…
May 16 22:34:38 php-fpm 90478 /snort/snort_interfaces.php: Starting Snort on WAN(bge0) per user request...
May 16 22:34:38 php-fpm 90478 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN…
May 16 22:34:37 php-fpm 90478 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
May 16 22:34:34 php-fpm 90478 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
May 16 22:34:27 php-fpm 55717 /snort/snort_rulesets.php: [Snort] Building new sid-msg.map file for WAN…
May 16 22:34:27 php-fpm 55717 /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: WAN…
May 16 22:34:23 php-fpm 55717 /snort/snort_rulesets.php: [Snort] Updating rules configuration for: WAN … -
You're not the only one I am also getting the same thing.
Temp fix:
Turn on SCADA Modbus detection preprocessor….
-
Yep, just tried this before you posted and fixed.
Thought I was going nuts.
Thanks!
-
Turn on SCADA Modbus detection preprocessor….
I am also facing this issue currently.
Can you tell me where this setting is located?
Thank you.
-
at the bottom of Preprocs of the interface
-
I'm running the latest version and having the same problem. Snort refuse to run. I tried a reinstall without success.
FATAL ERROR: …......... Unknown rule option:'modbus_data'
-
-
It appears to be related with today's Snort update. As others have said, you can fix it by enabling SCADA preprocessor. Another way to fix it is to disable SCADA rules from your interface category. There are four SCADA rules which need to be unchecked.
-
It appears to be related with today's Snort update. As others have said, you can fix it by enabling SCADA preprocessor. Another way to fix it is to disable SCADA rules from your interface category. There are four SCADA rules which need to be unchecked.
I had this same issue early this morning.
Running with IPS Security policy. I simply enabled Modbus Detection, not DNP3 detection from preprocessors, and Snort worked again.
Default option is not checked for both of these.
Yes, looks like it's somehow related to the last Snort rule update.
-
Yes, this would be an error I suspect from the Snort VRT rule authors. SCADA rules are quite specific to industrial control systems, so no applicability to general business stuff. Rules for SCADA will reference industrial control terms. MODBUS is a type of industrial control protocol (think like HTTP for web traffic as a more familiar analogy). I've said this before, Snort has preprocessors which are required to be loaded in order for certain rule signature options to be "understood" by Snort. In this case somebody accidentally included some rules that contain the "modbus_data" rule option keyword. Snort can only understand this keyword when the SCADA preprocessor is enabled and loaded. Since 99.5% of pfSense users probably don't have SCADA in their networks protected by Snort and pfSense, that preprocessor is disabled by default. Hence the failure to start errors. Two solutions have been given in this thread, and either will work.
This kind of thing is one area where Suricata has a better implementation. As you see in this thread, when Snort encounters a rule signature issue it just errors out and quits! Suricata, on the other hand, will print an error, skip loading the offending signature and continue on with the next one. The Sourcefire folks should fix Snort to do this IMHO.
Bill
-
Oh shoot, wish I'd looked here first, thought I'd broken my snort config when I was playing with barnyard2 :(
Time Process PID Message
May 17 19:34:19 SnortStartup 70809 Snort START for IOT Interface(10483_igb0_vlan4)…
May 17 19:34:19 snort 66867 FATAL ERROR: /usr/local/etc/snort/snort_14201_igb0_vlan3/rules/snort.rules(15733) Unknown rule option: 'modbus_data'.
May 17 19:34:09 SnortStartup 66577 Snort START for GUEST Interface(14201_igb0_vlan3)...
May 17 19:34:09 snort 36751 FATAL ERROR: /usr/local/etc/snort/snort_51260_igb0_vlan2/rules/snort.rules(15726) Unknown rule option: 'modbus_data'.
May 17 19:33:59 SnortStartup 36642 Snort START for USER Interface(51260_igb0_vlan2)...Even did a recovery from a few days ago to see if that would fix it.
-
Figured it was now a good time to try out Suricata :)
