Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort start / FATAL ERROR:

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kinch
      last edited by kinch

      Hi there.

      I installed snort and enabled some rules. After that i tried to start snort, but it does not start. The system.log says:

      Dec 20 00:09:07 pfSense-lab php-fpm[243]: /snort/snort_interfaces.php: Starting Snort on WAN(hn0) per user request...
      Dec 20 01:09:07 pfSense-lab php: /tmp/snort_hn03996_startcmd.php: [Snort] Updating rules configuration for: WAN ...
      Dec 20 01:09:09 pfSense-lab php: /tmp/snort_hn03996_startcmd.php: [Snort] Enabling any flowbit-required rules for: WAN...
      Dec 20 01:09:09 pfSense-lab php: /tmp/snort_hn03996_startcmd.php: [Snort] Building new sid-msg.map file for WAN...
      Dec 20 01:09:11 pfSense-lab php: /tmp/snort_hn03996_startcmd.php: [Snort] Snort START for WAN(hn0)...
      Dec 20 01:09:14 pfSense-lab snort[68918]: FATAL ERROR: /usr/local/etc/snort/snort_3996_hn0/rules/snort.rules(56872) Unknown rule option: 'modbus_func'.
      Dec 20 01:09:14 pfSense-lab php: /tmp/snort_hn03996_startcmd.php: The command '/usr/local/bin/snort -R 3996 -D -q --suppress-config-log -l /var/log/snort/snort_hn03996 --pid-path /var/run --nolock-pidfile -G 3996 -c /usr/local/etc/snort/snort_3996_hn0/snort.conf -i hn0' returned exit code '1', the output was ''
      
      

      Someone knows whats happen?
      Seems like some rule are wrong, but how can i find this rule oder rule-set?

      Best Regards
      k

      edit:

      i found the line in the conf-file:

      alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Tri PLC Nano 10 PLC denial of service attempt"; flow:to_server,established; content:"|00 06|"; depth:2; offset:4; modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2; metadata:policy max-detect-ips drop; reference:cve,2013-2784; classtype:denial-of-service; sid:29965;
      
      

      Whats wrong with this rule?

      1 Reply Last reply Reply Quote 0
      • K
        kinch
        last edited by

        resolved by my self. come back tomorrow to explain.

        cheers

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          This would be caused by a rule containing a Modbus keyword but without the Modbus preprocessor enabled on the PREPROCESSORS tab, Snort does not know what to do with that keyword. Either remove that rule or enable the Modbus preprocessor.

          K 1 Reply Last reply Reply Quote 1
          • K
            kinch @bmeeks
            last edited by

            @bmeeks thank you! you are right, I checked by myself for modbus protocol / devices. we don't use any of these devices, so I deactivated the ruleset. Thank you for your answer

            br
            k

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              Modbus is for industrial control systems. It is not used in business or home networks (typically).

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.