Snort no long running

chrischambers

I have Snort 4.1.3_2 installed on my PFSENSE.

This morning I discovered that my plugin is no longer running - so I tried to restarted it by everytime I click on the cycle arrow - it try's but don't.

it has been running fine for the pass few months as I was monitoring a ping attacks and I wanted to make sure I was not being hacked.

I have tried removing it and re-installation it but this didn't resolve the issue.

I have tried to find the logs to see what is happening but I can't find them, so can someone please inform me on where they are - or if this is a knowledge issue of the package and there is a know solution

infosamu.it

I have got the same situation.

infosamu.it

i've got this error in log:

FATAL ERROR: /usr/local/etc/snort/snort_17455_em1.5/rules/snort.rules(10922) Unable to process the IP address: [200.122.181.101,200.122.181.78,2001:40e8:0000:f091:0000:0000:0000:0100,2001:41,2001:41c8:0051:0490:feff:00ff:fe00:3214,2001:41d0:0001:777c:0200:c0a8:64b5:0000,2001:41d0:0001:81cf:0000:0000:0000:0001,2001:41d0:0001:8719:0000:0000:0000:0001,2001:41d0:0001:8b3b:0000:0000:0000:0001,2001:41d0:0002:1ecc:0000:0000:0000:0000].

palomar72

Same here!

palomar72

After removing the "download of Emerging Threats Open rules", and a force update of rules, Snort restated.
Obviously without the Emerging Threats Open rules.

infosamu.it

ok problem solved.

if you remove the line from the file snort.rules the snort starts again.

infosamu.it

this is the line

alert tcp [200.122.181.101,200.122.181.78,2001:40e8:0000:f091:0000:0000:0000:0100,2001:41,2001:41c8:0051:0490:feff:00ff:fe00:3214,2001:41d0:0001:777c:0200:c0a8:64b5:0000,2001:41d0:0001:81cf:0000:0000:0000:0001,2001:41d0:0001:8719:0000:0000:0000:0001,2001:41d0:0001:8b3b:0000:0000:0000:0001,2001:41d0:0002:1ecc:0000:0000:0000:0000] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 377"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522376; rev:4374; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2021_03_19;)

chrischambers

@infosamu-it said in Snort no long running:

i've got this error in log:

FATAL ERROR: /usr/local/etc/snort/snort_17455_em1.5/rules/snort.rules(10922) Unable to process the IP address: [200.122.181.101,200.122.181.78,2001:40e8:0000:f091:0000:0000:0000:0100,2001:41,2001:41c8:0051:0490:feff:00ff:fe00:3214,2001:41d0:0001:777c:0200:c0a8:64b5:0000,2001:41d0:0001:81cf:0000:0000:0000:0001,2001:41d0:0001:8719:0000:0000:0000:0001,2001:41d0:0001:8b3b:0000:0000:0000:0001,2001:41d0:0002:1ecc:0000:0000:0000:0000].

where is the log files so that I can check this myself ?

Rogerboomhouser

@chrischambers

From the GUI, status>system logs.

Ramosel

It looks like the rule has been fixed.
Force an update
Start or restart Snort

palomar72

@ramosel Yep! fixed. Thank you.

infosamu.it

yes, it works!

chrischambers

@rogerboomhouser said in Snort no long running:

GUI, status>system

thanks, for the info, and now my is working to.