Snort not starting due to rules errors 24-02-2010



  • Updated rules today and snort refuses to start.  I am getting this error in the system log..
    /usr/local/etc/snort/rules/dns.rules(59) => Unknown keyword ' detection_filter' in rule
    Also for the netbios rules.

    I ended up disabling the dns and netbios rules (kept netbios.so) and now snort will start.

    Anyone else have the same problem?



  • I have the same problem,… i will try with your sugestion. Thanks for this update info :)



  • np, i can t start snort,… any other sugestion?



  • had the same problem, traced down to snmp and sql , if you uncheck those from categories mine loaded, you will find your errors in the system log file



  • I had to disable the porn rules category (on 3 different boxes) to get Snort to run.  All 3 systems had been running fine up until the last couple of weeks when I noticed that Snort had shut down.  Logs showed a "FATAL ERROR: /usr/local/etc/snort/rules/porn.rules(24) => Unknown ClassType: kickass-porn".

    I was finally able to update the rules last night and the problem is still there.  If I enable porn.rules Snort will shut down in minutes.  Disable porn.rules and Snort will run fine.



  • i had the same problem with the pron rules, removed the category and snort started.



  • @vito:

    i had the same problem with the pron rules, removed the category and snort started.

    I'll look into it this weekend.

    James



  • Any update on this?  I still can't enable a bunch of rules or it breaks.  I'm scared to run an update on my friend's pfsense that I built for him, as the updated rule will more than likely break his rules also.



  • TreeTopFlyer

    /usr/local/etc/snort/rules/porn.rules is not a snort.org rule or emergingthreats.net rule. Please remove said file and your updates will work.
    Maybe a wrong rule got add by snort.org. The Current rule downloads do not have porn.rules.

    Though if you want that rule just add kickass-porn to clasification.config in the dir /usr/local/etc/snort/rules.
    Then do an update.

    James



  • Updated today.  registered rules.

    snort[21022]: FATAL ERROR: Warning: /usr/local/etc/snort/rules/netbios.rules(80) => Unknown keyword ' detection_filter' in rule!



  • Tester

    Do me a fav, post line 80 from this file /usr/local/etc/snort/rules/netbios.rules.

    Does it match this.

    alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2924; rev:3;)

    If so the old snort package has to be moved to snort versiion 2.8.5.3.



  • my freebsd skills suck, but I did vi in and get this info….

    alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure";
    flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1
    ; content:"m|00 00 C0|"; within:4; detection_filter:track by_dst,count 10,seconds 60; clas
    stype:unsuccessful-user; sid:2924; rev:4;)

    does that help?



  • tester_02

    Thanks for the help tester. Yes, seems snort.org rules are for the current 2.8.5.x binary.

    Its cool I'll just up date the binaries after testing today.

    James



  • Good to see you back, jamesdean.

    Question…I always have to reconfigure Snort when there's a new version. Any way to maintain the old settings with a new version?



  • @Roodawakening:

    Good to see you back, jamesdean.

    Question…I always have to reconfigure Snort when there's a new version. Any way to maintain the old settings with a new version?

    You should be able use Diagnostics: Backup/restore tab and select Package Manager.

    I should add this to the FAQ.

    Thanx for the support Roodawakening.

    Always glad to see a old pfsense user here.

    James



  • James

    Concerning the porn.rules issue, I uninstalled the Snort package, cleaned the config.xml of Snort related data, rebooted, re-installed Snort and dl'ed the new ruleset.  Porn.rules was no longer an option under categories and everything is running fine now.  I have always used just the standard oink code rules and porn.rules was always an option under categories and ran fine.  I did notice when I cleaned out the config.xml that porn.rules was listed in there even though I had de-selected it.

    Thanx again for all your help.



  • Err. I am an idiot. I saw this today and still allowed it to update today.

    "Snort rule packages for Subscribers and Registered Users track the latest patch release for any major version. This means that rule packages may make use of features that only exist in the latest version of Snort. A simple example is: If 2.8.4 is the current version of Snort then the snortrules-snapshot-2.8 packages might use features not available in 2.8.3.2 and earlier."

    Going to attempt to remove it from config.xml and reinstall.



  • I got it working again.

    1.) As always backup! Diagnostics>Backup/Restore. Go ahead and backup ALL as well as Package Manager

    1. Since a few of the Categories were junk or no longer with the recent rules I went ahead and went System>Packages> (Installed Packages)
          Go down to the XML icon put your mouse over it first to make sure is saw "Reinstall the packages GUI"

    2. Check Categories and make sure in is empty

    3. Run Update Rules again.

    4. Check the system log and see if anything failed

    For me I have to comment out this line by adding the # /usr/local/etc/snort/snort.conf

    include $RULE_PATH/web-misc.so.rules

    1. If you still get rule failures disable the rules that are failing one by one. I only had a few that were failing. After that everything works. Just remember not to let I update until the new package can be released.

Log in to reply