Snort start / FATAL ERROR:



  • Hi there.

    I installed snort and enabled some rules. After that i tried to start snort, but it does not start. The system.log says:

    Dec 20 00:09:07 pfSense-lab php-fpm[243]: /snort/snort_interfaces.php: Starting Snort on WAN(hn0) per user request...
    Dec 20 01:09:07 pfSense-lab php: /tmp/snort_hn03996_startcmd.php: [Snort] Updating rules configuration for: WAN ...
    Dec 20 01:09:09 pfSense-lab php: /tmp/snort_hn03996_startcmd.php: [Snort] Enabling any flowbit-required rules for: WAN...
    Dec 20 01:09:09 pfSense-lab php: /tmp/snort_hn03996_startcmd.php: [Snort] Building new sid-msg.map file for WAN...
    Dec 20 01:09:11 pfSense-lab php: /tmp/snort_hn03996_startcmd.php: [Snort] Snort START for WAN(hn0)...
    Dec 20 01:09:14 pfSense-lab snort[68918]: FATAL ERROR: /usr/local/etc/snort/snort_3996_hn0/rules/snort.rules(56872) Unknown rule option: 'modbus_func'.
    Dec 20 01:09:14 pfSense-lab php: /tmp/snort_hn03996_startcmd.php: The command '/usr/local/bin/snort -R 3996 -D -q --suppress-config-log -l /var/log/snort/snort_hn03996 --pid-path /var/run --nolock-pidfile -G 3996 -c /usr/local/etc/snort/snort_3996_hn0/snort.conf -i hn0' returned exit code '1', the output was ''
    
    

    Someone knows whats happen?
    Seems like some rule are wrong, but how can i find this rule oder rule-set?

    Best Regards
    k

    edit:

    i found the line in the conf-file:

    alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Tri PLC Nano 10 PLC denial of service attempt"; flow:to_server,established; content:"|00 06|"; depth:2; offset:4; modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2; metadata:policy max-detect-ips drop; reference:cve,2013-2784; classtype:denial-of-service; sid:29965;
    
    

    Whats wrong with this rule?



  • resolved by my self. come back tomorrow to explain.

    cheers



  • This would be caused by a rule containing a Modbus keyword but without the Modbus preprocessor enabled on the PREPROCESSORS tab, Snort does not know what to do with that keyword. Either remove that rule or enable the Modbus preprocessor.



  • @bmeeks thank you! you are right, I checked by myself for modbus protocol / devices. we don't use any of these devices, so I deactivated the ruleset. Thank you for your answer

    br
    k



  • Modbus is for industrial control systems. It is not used in business or home networks (typically).


Log in to reply