Snort won't start.
-
Snort wont start after updating some rules. I have un-installed and reinstalled. Any help would be much appreciated.
Here are the logs:```
Time Process PID Message
Jul 21 15:03:54 php-fpm 40562 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 35291 -D -q --suppress-config-log -l /var/log/snort/snort_em035291 --pid-path /var/run --nolock-pidfile -G 35291 -c /usr/local/etc/snort/snort_35291_em0/snort.conf -i em0' returned exit code '1', the output was ''
Jul 21 15:03:54 snort 48245 FATAL ERROR: /usr/local/etc/snort/snort_35291_em0/rules/snort.rules(4832) byte_test rule option cannot extract more than 4 bytes without valid string prefix.
Jul 21 15:03:53 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Snort START for WAN(em0)...
Jul 21 15:03:53 php-fpm 40562 /snort/snort_interfaces.php: Starting Snort on WAN(em0) per user request...
Jul 21 15:03:51 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN...
Jul 21 15:03:50 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
Jul 21 15:03:42 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ... -
Not sure if you have sorted it yet..
I had this issue after updating. It took me a couple of hours of playing around with uninstalling, reinstalling multiple times, editing the snort.rules file to comment out the rules that were giving errors in the log etc etc.
This got me to a point where it would start and not give me errors in the log, but wouldn't detect anything. Once it started, I tried a simple port scan using my phone, which it did not detect.
What ended up getting everything sorted for me was resetting the WAN rules. I didn't have any custom rules set that I could remember.
Services –> Snort
Edit your WAN interface -->
WAN Rules -->
Rule Signature ID (SID) Enable/Disable Overrides -->
Reset All --> Apply
Hope this helps.
-
Snort wont start after updating some rules. I have un-installed and reinstalled. Any help would be much appreciated.
Here are the logs:```
Time Process PID Message
Jul 21 15:03:54 php-fpm 40562 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 35291 -D -q --suppress-config-log -l /var/log/snort/snort_em035291 --pid-path /var/run --nolock-pidfile -G 35291 -c /usr/local/etc/snort/snort_35291_em0/snort.conf -i em0' returned exit code '1', the output was ''
Jul 21 15:03:54 snort 48245 FATAL ERROR: /usr/local/etc/snort/snort_35291_em0/rules/snort.rules(4832) byte_test rule option cannot extract more than 4 bytes without valid string prefix.
Jul 21 15:03:53 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Snort START for WAN(em0)...
Jul 21 15:03:53 php-fpm 40562 /snort/snort_interfaces.php: Starting Snort on WAN(em0) per user request...
Jul 21 15:03:51 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN...
Jul 21 15:03:50 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
Jul 21 15:03:42 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...This error is caused by a mis-written rule signature. Likely it was updated by the authors but the error was not caught before the rule was added to the update tar ball. You can find the errant rule and disable it by "decoding" the error message.
Here is the snippet of the error message you need:
/usr/local/etc/snort/snort_35291_em0/rules/snort.rules(4832)
This tells you the file containing the rules where the error happened. The file is /usr/local/etc/snort/snort_35291_em0/rules/snort.rules, and the error is on line 4832 in that file. So open the file in an editor, locate line 4832, examine the rule there to find the SID and category and then disable that rule in the GUI on the RULES tab.
Bill