Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort stop working

    Scheduled Pinned Locked Moved pfSense Packages
    snort
    7 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      heliop100
      last edited by

      Hi, after last night update, my snort stop working.
      system logs show a lot off lines like these:

      Feb 7 11:55:12 snort[68678]: appKey '1912' truncated to 'microsoft_strea'
      Feb 7 11:55:12 snort[68678]: appKey '1905' truncated to 'zoho_salesiq_ch'
      Feb 7 11:55:12 snort[68678]: appKey '1903' truncated to 'office365_admin'
      Feb 7 11:55:12 snort[68678]: appKey '1911' truncated to 'azure_cloud_por'
      Feb 7 11:55:12 snort[68678]: appKey '0' truncated to 'shortel_sky_com'
      Feb 7 11:55:12 snort[68678]: appKey '1857' truncated to 'mail.ru_attachm'
      Feb 7 11:55:12 snort[68678]: appKey '1856' truncated to 'livejournal_pos'
      Feb 7 11:55:12 snort[68678]: appKey '1849' truncated to 'office_365_plan'
      Feb 7 11:55:12 snort[68678]: appKey '1835' truncated to 'wd_softwares_do'
      and then:
      FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_23092_vmx0/rules/snort.rules(441): unknown modifier "bitmask 0x8000"

      Any ideas?
      Thanks

      bmeeksB 1 Reply Last reply Reply Quote 0
      • H
        heliop100
        last edited by

        I'm also receiving:
        php-fpm[684]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 23092 -D -q --suppress-config-log -l /var/log/snort/snort_vmx023092 --pid-path /var/run --nolock-pidfile -G 23092 -c /usr/pbi/snort-amd64/etc/snort/snort_23092_vmx0/snort.conf -i vmx0' returned exit code '1', the output was ''

        bmeeksB 1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @heliop100
          last edited by

          @heliop100 said in Snort stop working:

          I'm also receiving:
          php-fpm[684]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 23092 -D -q --suppress-config-log -l /var/log/snort/snort_vmx023092 --pid-path /var/run --nolock-pidfile -G 23092 -c /usr/pbi/snort-amd64/etc/snort/snort_23092_vmx0/snort.conf -i vmx0' returned exit code '1', the output was ''

          This error is caused by the first error you posted. Snort is not starting up, hence the error return code from the shell script.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @heliop100
            last edited by

            @heliop100 said in Snort stop working:

            Hi, after last night update, my snort stop working.
            system logs show a lot off lines like these:

            Feb 7 11:55:12 snort[68678]: appKey '1912' truncated to 'microsoft_strea'
            Feb 7 11:55:12 snort[68678]: appKey '1905' truncated to 'zoho_salesiq_ch'
            Feb 7 11:55:12 snort[68678]: appKey '1903' truncated to 'office365_admin'
            Feb 7 11:55:12 snort[68678]: appKey '1911' truncated to 'azure_cloud_por'
            Feb 7 11:55:12 snort[68678]: appKey '0' truncated to 'shortel_sky_com'
            Feb 7 11:55:12 snort[68678]: appKey '1857' truncated to 'mail.ru_attachm'
            Feb 7 11:55:12 snort[68678]: appKey '1856' truncated to 'livejournal_pos'
            Feb 7 11:55:12 snort[68678]: appKey '1849' truncated to 'office_365_plan'
            Feb 7 11:55:12 snort[68678]: appKey '1835' truncated to 'wd_softwares_do'
            and then:
            FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_23092_vmx0/rules/snort.rules(441): unknown modifier "bitmask 0x8000"

            Any ideas?
            Thanks

            This is most likely caused by an error introduced with the latest OpenAppID rules. You can check the Snort Mailing List to see if anyone else is reporting issues. The link I posted will take you to a thread on this specific error.

            What version of the Snort package are you running now? You need to be on v3.2.9.8_4. This version includes the 2.9.12 Snort binary.

            1 Reply Last reply Reply Quote 1
            • H
              heliop100
              last edited by

              Hi,
              My snort package are at 3.2.9.1
              I disable Install OpenAppID detectors but still getting these errors.
              My pfSense are at 2.2.6 and to update snort I will need to update pfSense first.
              Are there some way to remove OpenAppID manually for now, until I have one window to update pfSense?

              Thanks.

              H 1 Reply Last reply Reply Quote 0
              • H
                heliop100 @heliop100
                last edited by

                @heliop100

                Hello bmeeks,
                Your link show the answer,

                Ever since the rules release 2 days ago, snort has a fatal error.
                Unknown modifier bitmask 0x8000
                Snort 2.9.8.3
                Cantos 6
                It’s caused by rule Sid:49090
                CVE-2017-7494
                Brian

                I disable the 49090 sid and are working now.

                Thanks

                1 Reply Last reply Reply Quote 1
                • Frequency295F
                  Frequency295
                  last edited by Frequency295

                  I was confused on how to do this so after I figured it out I thought I would share.

                  Click Services, Snort
                  Edit the non functional snort interface e
                  Click %Interface% Rules
                  Click the drop down for Category: and choose GPLv2_community.rules
                  Wait for it to load and disable x Sid: 49090 SERVER-SAMBA at the bottom of the page
                  Save & Apply
                  Then back on the Snort Interfaces tab you should now be able to start x snort on the Interface

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.