• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort fatal error after emerging.rules update

IDS/IPS
13
38
3.6k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I
    InstanceExtension
    last edited by Jun 16, 2023, 12:05 AM

    Jun 15 17:58:34 snort 15604 FATAL ERROR: /usr/local/etc/snort/snort_3612_ix1/rules/snort.rules:26779: Can't use flow: stateless option with other options
    Jun 15 17:58:29 SnortStartup 15261 Snort START for LAN(ix1)...
    Jun 15 17:58:16 php-fpm 85281 /index.php: Successful login for user 'admin' from: 192.168.1.100 (Local Database)
    Jun 15 16:35:32 php 83022 [Snort] The Rules update has finished.
    Jun 15 16:35:32 php 83022 [Snort] Snort has restarted on LAN with your new set of rules...
    Jun 15 16:35:32 php 83022 /usr/local/pkg/snort/snort_check_for_rule_updates.php: The command '/usr/local/bin/snort -R _3612 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_ix13612 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 3612 -c /usr/local/etc/snort/snort_3612_ix1/snort.conf -i ix1' returned exit code '1', the output was ''
    Jun 15 16:35:32 snort 88230 FATAL ERROR: /usr/local/etc/snort/snort_3612_ix1/rules/snort.rules:26779: Can't use flow: stateless option with other options
    Jun 15 16:35:29 kernel pid 75058 (snort), jid 0, uid 0: exited on signal 11 (core dumped)
    Jun 15 16:35:28 php 83022 [Snort] Snort START for LAN(ix1)...
    Jun 15 16:35:27 snort 75058 *** Caught Term-Signal
    Jun 15 16:35:26 php 83022 [Snort] Snort STOP for LAN(ix1)...
    Jun 15 16:35:25 php 83022 [Snort] Building new sid-msg.map file for LAN...
    Jun 15 16:35:25 php 83022 [Snort] Enabling any flowbit-required rules for: LAN...
    Jun 15 16:35:24 php 83022 [Snort] Enabling any flowbit-required rules for: LAN...
    Jun 15 16:35:22 php 83022 [Snort] Updating rules configuration for: LAN ...
    Jun 15 16:35:08 php 83022 [Snort] Emerging Threats Open rules file update downloaded successfully
    Jun 15 16:35:07 php 83022 [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...

    C B E 3 Replies Last reply Jun 16, 2023, 2:49 AM Reply Quote 0
    • I
      InstanceExtension
      last edited by Jun 16, 2023, 12:11 AM

      Note: using legacy mode.

      T 1 Reply Last reply Jun 16, 2023, 12:43 AM Reply Quote 0
      • T
        theroot @InstanceExtension
        last edited by Jun 16, 2023, 12:43 AM

        @InstanceExtension
        I came across this a couple hours ago too. There's two rules causing it, SID 2046273 and 2046274. You'll find them under Wan Rules -> Category : emerging-trojan.rules . Disabling these two rules should resolve.

        I C J 3 Replies Last reply Jun 16, 2023, 12:58 AM Reply Quote 8
        • I
          InstanceExtension @theroot
          last edited by InstanceExtension Jun 16, 2023, 1:01 AM Jun 16, 2023, 12:58 AM

          @theroot Thanks but disabling those did not help get Snort back up. Edit: Forgot to hit "Apply". Back up now.

          1 Reply Last reply Reply Quote 1
          • C
            chudak @InstanceExtension
            last edited by Jun 16, 2023, 2:49 AM

            @InstanceExtension

            I see that too.

            Thought maybe it relates to the global attack today, but not sure now.

            So snort update broke this? Any fix?

            TIA

            1 Reply Last reply Reply Quote 0
            • C
              chudak @theroot
              last edited by Jun 16, 2023, 3:13 AM

              @theroot said in Snort fatal error after emerging.rules update:

              @InstanceExtension
              I came across this a couple hours ago too. There's two rules causing it, SID 2046273 and 2046274. You'll find them under Wan Rules -> Category : emerging-trojan.rules . Disabling these two rules should resolve.

              That seemed to have helped!

              Thx!!!

              1 Reply Last reply Reply Quote 0
              • B
                bmeeks @InstanceExtension
                last edited by Jun 16, 2023, 4:19 AM

                This will have to be fixed by the Emerging Threats rule writers. They will release an updated rules archive for those rules pretty soon is my guess. As others have mentioned, you can temporarily work around it by disabling the culprit rules.

                If something similar happens in the future, the error message can help you narrow down the rule. For this case, the error message gives you the rules file being processed and what line number in the file caused a problem.

                /usr/local/etc/snort/snort_3612_ix1/rules/snort.rules:26779

                Open the given file in a text editor and locate line #26779. The rule on that line will be the one causing the problem.

                The Snort package collects all the active enabled rules and writes them into a snort.rules file for each configured Snort interface. Each configured interface has its configuration info provided in a separate subdirectory under /usr/local/etc/snort/.

                M 1 Reply Last reply Jun 16, 2023, 8:18 AM Reply Quote 3
                • D
                  demux
                  last edited by Jun 16, 2023, 5:55 AM

                  Thank you for this thread. It started tonight. And this morning I know what to do. Great!

                  1 Reply Last reply Reply Quote 0
                  • J
                    jacotec
                    last edited by Jun 16, 2023, 6:10 AM

                    Woke up this morning with >200 emails in my inbox ... Service watchdog tried every minute to restart Snort and sent me an email.

                    Great to have the solution already, thanks!

                    B 1 Reply Last reply Jun 16, 2023, 12:57 PM Reply Quote 1
                    • J
                      jagradang
                      last edited by Jun 16, 2023, 8:16 AM

                      Thank you!! I just hit this issue this morning too - over 300 service watchdog errors. Just fixed it now. thank you!

                      1 Reply Last reply Reply Quote 0
                      • M
                        mzawolski @bmeeks
                        last edited by Jun 16, 2023, 8:18 AM

                        @bmeeks said in Snort fatal error after emerging.rules update:

                        They will release an updated rules archive for those rules pretty soon is my guess

                        new rules. Go to: Services / Snort / Updates

                        Force Update

                        Now working fine

                        D C 2 Replies Last reply Jun 16, 2023, 9:34 AM Reply Quote 0
                        • D
                          DBMandrake
                          last edited by DBMandrake Jun 16, 2023, 8:39 AM Jun 16, 2023, 8:38 AM

                          I'm seeing a different rule failing than anyone else in this thread so far:

                          FATAL ERROR: /usr/local/etc/snort/snort_4851_ix0/rules/snort.rules:19567: Can't use flow: stateless option with other options
                          

                          Force Update has not fixed it for me.

                          When I look in the file I don't see a rule 19567, the nearest match is sid 2019567:

                          alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup checkmalware.info"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|checkmalware|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019567; rev:3; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
                          

                          Not sure if this is a match ? Seems strange that multiple different rules would all break on the same update ?

                          D B 2 Replies Last reply Jun 16, 2023, 8:45 AM Reply Quote 0
                          • J
                            JonathanLee @theroot
                            last edited by Jun 16, 2023, 8:45 AM

                            @theroot thanks

                            Make sure to upvote

                            1 Reply Last reply Reply Quote 0
                            • D
                              DBMandrake @DBMandrake
                              last edited by Jun 16, 2023, 8:45 AM

                              So I've disabled rule 2019567 and now its complaining about a different one:

                              FATAL ERROR: /usr/local/etc/snort/snort_4851_ix0/rules/snort.rules:19566: Can't use flow: stateless option with other options
                              

                              Is "can't use flow: stateless option with other options" actually a problem with the rules, or are the rules just incompatible with some general setting I have in Snort ?

                              D B 2 Replies Last reply Jun 16, 2023, 8:59 AM Reply Quote 0
                              • D
                                DBMandrake @DBMandrake
                                last edited by DBMandrake Jun 16, 2023, 9:00 AM Jun 16, 2023, 8:59 AM

                                After playing a game of whack a mole with half a dozen rules I've ended up disabling the entire "emerging-trojan.rules" rule category from ET Open Rules for now - seems like a really bad update has been pushed for these rules that has broken numerous rules, as every time I disable one rule it finds another one to complain about.

                                Will try enabling it again in a couple of days...

                                1 Reply Last reply Reply Quote 0
                                • D
                                  demux @mzawolski
                                  last edited by Jun 16, 2023, 9:34 AM

                                  @mzawolski For me still not working

                                  D 1 Reply Last reply Jun 16, 2023, 10:06 AM Reply Quote 0
                                  • D
                                    DBMandrake @demux
                                    last edited by DBMandrake Jun 16, 2023, 10:07 AM Jun 16, 2023, 10:06 AM

                                    @demux Did you try disabling the entire category ? That's what I had to do.

                                    login-to-view

                                    login-to-view

                                    If you run Snort on more than one interface (I don't) you'll need to make the same change on all interfaces.

                                    P 1 Reply Last reply Jun 16, 2023, 10:33 AM Reply Quote 0
                                    • P
                                      pitmacaloway @DBMandrake
                                      last edited by pitmacaloway Jun 16, 2023, 10:36 AM Jun 16, 2023, 10:33 AM

                                      @DBMandrake

                                      Hi,

                                      it works for me by disabling emerging-trojan.rules & snort_malware-cnc.rules categories

                                      ps: It took me a long time to post my solution on this forum, I almost gave up

                                      1 Reply Last reply Reply Quote 0
                                      • B
                                        bmeeks @DBMandrake
                                        last edited by Jun 16, 2023, 12:46 PM

                                        @DBMandrake said in Snort fatal error after emerging.rules update:

                                        When I look in the file I don't see a rule 19567, the nearest match is sid 2019567:

                                        The number shown at the end of the error message is the line number within the rules text file that is at fault. So the problem is with the rule text on line 19567 in the snort.rules text file in the subdirectory listed in the error.

                                        D 1 Reply Last reply Jun 17, 2023, 11:42 AM Reply Quote 0
                                        • B
                                          bmeeks @DBMandrake
                                          last edited by bmeeks Jun 16, 2023, 1:10 PM Jun 16, 2023, 12:47 PM

                                          @DBMandrake said in Snort fatal error after emerging.rules update:

                                          Is "can't use flow: stateless option with other options" actually a problem with the rules, or are the rules just incompatible with some general setting I have in Snort ?

                                          Someone on the Emerging Threats team made a major boo-boo creating one or more of the latest rule archive updates. They will get it fixed and post new rules.

                                          I have not actually checked to verify this hunch, but my first wild guess would be somebody accidentally packaged Snort3 rules in those Category files. The rule keywords and options differ between Snort 2.9.x (which we use on pfSense) and Snort3.

                                          1 Reply Last reply Reply Quote 0
                                          6 out of 38
                                          • First post
                                            6/38
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.