Snort stop working
-
Hi, after last night update, my snort stop working.
system logs show a lot off lines like these:Feb 7 11:55:12 snort[68678]: appKey '1912' truncated to 'microsoft_strea'
Feb 7 11:55:12 snort[68678]: appKey '1905' truncated to 'zoho_salesiq_ch'
Feb 7 11:55:12 snort[68678]: appKey '1903' truncated to 'office365_admin'
Feb 7 11:55:12 snort[68678]: appKey '1911' truncated to 'azure_cloud_por'
Feb 7 11:55:12 snort[68678]: appKey '0' truncated to 'shortel_sky_com'
Feb 7 11:55:12 snort[68678]: appKey '1857' truncated to 'mail.ru_attachm'
Feb 7 11:55:12 snort[68678]: appKey '1856' truncated to 'livejournal_pos'
Feb 7 11:55:12 snort[68678]: appKey '1849' truncated to 'office_365_plan'
Feb 7 11:55:12 snort[68678]: appKey '1835' truncated to 'wd_softwares_do'
and then:
FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_23092_vmx0/rules/snort.rules(441): unknown modifier "bitmask 0x8000"Any ideas?
Thanks
-
I'm also receiving:
php-fpm[684]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 23092 -D -q --suppress-config-log -l /var/log/snort/snort_vmx023092 --pid-path /var/run --nolock-pidfile -G 23092 -c /usr/pbi/snort-amd64/etc/snort/snort_23092_vmx0/snort.conf -i vmx0' returned exit code '1', the output was ''
-
@heliop100 said in Snort stop working:
I'm also receiving:
php-fpm[684]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 23092 -D -q --suppress-config-log -l /var/log/snort/snort_vmx023092 --pid-path /var/run --nolock-pidfile -G 23092 -c /usr/pbi/snort-amd64/etc/snort/snort_23092_vmx0/snort.conf -i vmx0' returned exit code '1', the output was ''This error is caused by the first error you posted. Snort is not starting up, hence the error return code from the shell script.
-
@heliop100 said in Snort stop working:
Hi, after last night update, my snort stop working.
system logs show a lot off lines like these:Feb 7 11:55:12 snort[68678]: appKey '1912' truncated to 'microsoft_strea'
Feb 7 11:55:12 snort[68678]: appKey '1905' truncated to 'zoho_salesiq_ch'
Feb 7 11:55:12 snort[68678]: appKey '1903' truncated to 'office365_admin'
Feb 7 11:55:12 snort[68678]: appKey '1911' truncated to 'azure_cloud_por'
Feb 7 11:55:12 snort[68678]: appKey '0' truncated to 'shortel_sky_com'
Feb 7 11:55:12 snort[68678]: appKey '1857' truncated to 'mail.ru_attachm'
Feb 7 11:55:12 snort[68678]: appKey '1856' truncated to 'livejournal_pos'
Feb 7 11:55:12 snort[68678]: appKey '1849' truncated to 'office_365_plan'
Feb 7 11:55:12 snort[68678]: appKey '1835' truncated to 'wd_softwares_do'
and then:
FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_23092_vmx0/rules/snort.rules(441): unknown modifier "bitmask 0x8000"Any ideas?
ThanksThis is most likely caused by an error introduced with the latest OpenAppID rules. You can check the Snort Mailing List to see if anyone else is reporting issues. The link I posted will take you to a thread on this specific error.
What version of the Snort package are you running now? You need to be on v3.2.9.8_4. This version includes the 2.9.12 Snort binary.
-
Hi,
My snort package are at 3.2.9.1
I disable Install OpenAppID detectors but still getting these errors.
My pfSense are at 2.2.6 and to update snort I will need to update pfSense first.
Are there some way to remove OpenAppID manually for now, until I have one window to update pfSense?Thanks.
-
Hello bmeeks,
Your link show the answer,Ever since the rules release 2 days ago, snort has a fatal error.
Unknown modifier bitmask 0x8000
Snort 2.9.8.3
Cantos 6
It’s caused by rule Sid:49090
CVE-2017-7494
BrianI disable the 49090 sid and are working now.
Thanks
-
I was confused on how to do this so after I figured it out I thought I would share.
Click Services, Snort
Edit the non functional snort interface e
Click %Interface% Rules
Click the drop down for Category: and choose GPLv2_community.rules
Wait for it to load and disable x Sid: 49090 SERVER-SAMBA at the bottom of the page
Save & Apply
Then back on the Snort Interfaces tab you should now be able to start x snort on the Interface
