Snort fails to start after upgrade from 2.3.4 to 2.3.4_p1
-
We upgraded 7 firewalls to 2.3.4_p1.
After upgrade on 6 units snort isn't working with new pfsense release.Here is system log message from 2:
Aug 16 07:31:41SnortStartup37526Snort START for WAN_ATT(58471_igb1)…
Aug 16 07:31:41snort38350FATAL ERROR: /usr/local/etc/snort/snort_58471_igb1/rules/snort.rules(389) Unknown ClassType: sdfAug 16 07:52:42snort65105FATAL ERROR: /usr/local/etc/snort/snort_58471_igb5/rules/snort.rules(389) Unknown ClassType: sdf
Aug 16 07:52:42SnortStartup63737Snort START for WAN_ATT(58471_igb5)...I'm sure someone already faced it before.
Thank you in advance. -
You have sensitive data rules enabled in your rule set but the sensitive data preprocessor (sdf) is disabled. Either disable the SDF rules or go to the PREPROCESSORS tab for the interface and check the box to enable the Sensitive Data preprocessor.
This is most likely caused by the particular set of rules categories you have enabled.
Bill
-
Based on my colleague and I will quote him:
"there is a bug
it inserts this rule
alert ( msg: "SDF_COMBO_ALERT"; sid: 1; gid: 139; rev: 1; metadata: rule-type preproc ; classtype:sdf; )
even when off" -
[2.3.4-RELEASE][root@FW.corp]/root: vi /usr/local/etc/snort/snort_58471_igb1/preproc_rules/preprocessor.rules
or
/usr/local/etc/snort/preproc_rules/preprocessor.rules:alert ( msg: "SDF_COMBO_ALERT"; sid: 1; gid: 139; rev: 1; metadata: rule-type preproc ; classtype:sdf; )
Removing the line is a quick fix, but will it come back after next upgrade .. we don't know
-
@Rajko:
Based on my colleague and I will quote him:
"there is a bug
it inserts this rule
alert ( msg: "SDF_COMBO_ALERT"; sid: 1; gid: 139; rev: 1; metadata: rule-type preproc ; classtype:sdf; )
even when off"The Snort package itself generates no rules nor inserts any rules arbitrarily. I will need to review the package installation code to see if anything happens during installation (or re-installation) that could affect this.
Does this happen even when you "upgrade" by first removing the package entirely and then re-installing? There can be some potential issues with a re-installation over an existing one when upgrading. My recommendation is always remove the package and then reinsall it. That takes only a couple of extra clicks and an additional 30 seconds or so.
Bill
-
We did not try removing package prior to upgrade.
Thank you for checking scripts.