Annoying Snort Issue



  • I've fixed it a few times now but it comes back due to snort rule updates.    I was wondering how often do they fix snort rules it's a syntax error.  Second why does snort quit working because of one rule being wrong makes no sense at all.

    48396 FATAL ERROR: /usr/local/etc/snort/snort_30270_em0/rules/snort.rules(427) Rule options must be enclosed in '(' and ')'.



  • It's not that it can't parse one rule, it's that it can't parse the file and the parse error is in one of the rules. It's the exact definition of corrupted. Do you really want to use corrupted rules? There is no way the logic could make assumptions about if accepting what it thinks were parable rules and just ignoring the non-parse-able parts of the file. Depending on the format, it's probably impossible to be sure what you've parsed so far is valid if the file as a whole is not valid.



  • I can understand that.  I'm curious when they might clear up the issue.  It's been 3 days.  I would hate to see sourcefire have the same issue at work.



  • @aadder:

    I can understand that.  I'm curious when they might clear up the issue.  It's been 3 days.  I would hate to see sourcefire have the same issue at work.

    I believe this was identified as an error in one of the volunteer-maintained OpenAppID rules.  That rules package was created and is maintained by an individual in Brazil.  The pfSense team just recently moved the hosting site from a Brazilian University over to pfSense infrastructure.  The text OpenAppID rules are not maintained by the Snort VRT.

    I was under the impression this rule typo had been corrected a couple of days ago.  You could try reaching out to the pfSense team for more information, or temporarily turn off the OpenAppID rules and see if the error goes away.  I think it will.

    Snort has one failing compared to Suricata.  With Suricata, when a rule syntax error is encountered, the binary will print an error message but then skip the offending rule and load the others.  Snort, on the other hand, will print an error and exit when encountering a rule syntax error.  This behavior is baked into the underlying binary and is not something the pfSense GUI package can influence.

    Bill