Snort stop working



  • Hi, after last night update, my snort stop working.
    system logs show a lot off lines like these:

    Feb 7 11:55:12 snort[68678]: appKey '1912' truncated to 'microsoft_strea'
    Feb 7 11:55:12 snort[68678]: appKey '1905' truncated to 'zoho_salesiq_ch'
    Feb 7 11:55:12 snort[68678]: appKey '1903' truncated to 'office365_admin'
    Feb 7 11:55:12 snort[68678]: appKey '1911' truncated to 'azure_cloud_por'
    Feb 7 11:55:12 snort[68678]: appKey '0' truncated to 'shortel_sky_com'
    Feb 7 11:55:12 snort[68678]: appKey '1857' truncated to 'mail.ru_attachm'
    Feb 7 11:55:12 snort[68678]: appKey '1856' truncated to 'livejournal_pos'
    Feb 7 11:55:12 snort[68678]: appKey '1849' truncated to 'office_365_plan'
    Feb 7 11:55:12 snort[68678]: appKey '1835' truncated to 'wd_softwares_do'
    and then:
    FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_23092_vmx0/rules/snort.rules(441): unknown modifier "bitmask 0x8000"

    Any ideas?
    Thanks



  • I'm also receiving:
    php-fpm[684]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 23092 -D -q --suppress-config-log -l /var/log/snort/snort_vmx023092 --pid-path /var/run --nolock-pidfile -G 23092 -c /usr/pbi/snort-amd64/etc/snort/snort_23092_vmx0/snort.conf -i vmx0' returned exit code '1', the output was ''



  • @heliop100 said in Snort stop working:

    I'm also receiving:
    php-fpm[684]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 23092 -D -q --suppress-config-log -l /var/log/snort/snort_vmx023092 --pid-path /var/run --nolock-pidfile -G 23092 -c /usr/pbi/snort-amd64/etc/snort/snort_23092_vmx0/snort.conf -i vmx0' returned exit code '1', the output was ''

    This error is caused by the first error you posted. Snort is not starting up, hence the error return code from the shell script.



  • @heliop100 said in Snort stop working:

    Hi, after last night update, my snort stop working.
    system logs show a lot off lines like these:

    Feb 7 11:55:12 snort[68678]: appKey '1912' truncated to 'microsoft_strea'
    Feb 7 11:55:12 snort[68678]: appKey '1905' truncated to 'zoho_salesiq_ch'
    Feb 7 11:55:12 snort[68678]: appKey '1903' truncated to 'office365_admin'
    Feb 7 11:55:12 snort[68678]: appKey '1911' truncated to 'azure_cloud_por'
    Feb 7 11:55:12 snort[68678]: appKey '0' truncated to 'shortel_sky_com'
    Feb 7 11:55:12 snort[68678]: appKey '1857' truncated to 'mail.ru_attachm'
    Feb 7 11:55:12 snort[68678]: appKey '1856' truncated to 'livejournal_pos'
    Feb 7 11:55:12 snort[68678]: appKey '1849' truncated to 'office_365_plan'
    Feb 7 11:55:12 snort[68678]: appKey '1835' truncated to 'wd_softwares_do'
    and then:
    FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_23092_vmx0/rules/snort.rules(441): unknown modifier "bitmask 0x8000"

    Any ideas?
    Thanks

    This is most likely caused by an error introduced with the latest OpenAppID rules. You can check the Snort Mailing List to see if anyone else is reporting issues. The link I posted will take you to a thread on this specific error.

    What version of the Snort package are you running now? You need to be on v3.2.9.8_4. This version includes the 2.9.12 Snort binary.



  • Hi,
    My snort package are at 3.2.9.1
    I disable Install OpenAppID detectors but still getting these errors.
    My pfSense are at 2.2.6 and to update snort I will need to update pfSense first.
    Are there some way to remove OpenAppID manually for now, until I have one window to update pfSense?

    Thanks.



  • @heliop100

    Hello bmeeks,
    Your link show the answer,

    Ever since the rules release 2 days ago, snort has a fatal error.
    Unknown modifier bitmask 0x8000
    Snort 2.9.8.3
    Cantos 6
    It’s caused by rule Sid:49090
    CVE-2017-7494
    Brian

    I disable the 49090 sid and are working now.

    Thanks