Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort not starting due to rules errors 24-02-2010

    Scheduled Pinned Locked Moved pfSense Packages
    18 Posts 8 Posters 12.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tester_02
      last edited by

      Updated rules today and snort refuses to start.  I am getting this error in the system log..
      /usr/local/etc/snort/rules/dns.rules(59) => Unknown keyword ' detection_filter' in rule
      Also for the netbios rules.

      I ended up disabling the dns and netbios rules (kept netbios.so) and now snort will start.

      Anyone else have the same problem?

      1 Reply Last reply Reply Quote 0
      • S
        simby
        last edited by

        I have the same problem,… i will try with your sugestion. Thanks for this update info :)

        1 Reply Last reply Reply Quote 0
        • S
          simby
          last edited by

          np, i can t start snort,… any other sugestion?

          1 Reply Last reply Reply Quote 0
          • J
            jmalez
            last edited by

            had the same problem, traced down to snmp and sql , if you uncheck those from categories mine loaded, you will find your errors in the system log file

            1 Reply Last reply Reply Quote 0
            • T
              TreeTopFlyer
              last edited by

              I had to disable the porn rules category (on 3 different boxes) to get Snort to run.  All 3 systems had been running fine up until the last couple of weeks when I noticed that Snort had shut down.  Logs showed a "FATAL ERROR: /usr/local/etc/snort/rules/porn.rules(24) => Unknown ClassType: kickass-porn".

              I was finally able to update the rules last night and the problem is still there.  If I enable porn.rules Snort will shut down in minutes.  Disable porn.rules and Snort will run fine.

              1 Reply Last reply Reply Quote 0
              • V
                vito
                last edited by

                i had the same problem with the pron rules, removed the category and snort started.

                1 Reply Last reply Reply Quote 0
                • J
                  jamesdean
                  last edited by

                  @vito:

                  i had the same problem with the pron rules, removed the category and snort started.

                  I'll look into it this weekend.

                  James

                  1 Reply Last reply Reply Quote 0
                  • T
                    tester_02
                    last edited by

                    Any update on this?  I still can't enable a bunch of rules or it breaks.  I'm scared to run an update on my friend's pfsense that I built for him, as the updated rule will more than likely break his rules also.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jamesdean
                      last edited by

                      TreeTopFlyer

                      /usr/local/etc/snort/rules/porn.rules is not a snort.org rule or emergingthreats.net rule. Please remove said file and your updates will work.
                      Maybe a wrong rule got add by snort.org. The Current rule downloads do not have porn.rules.

                      Though if you want that rule just add kickass-porn to clasification.config in the dir /usr/local/etc/snort/rules.
                      Then do an update.

                      James

                      1 Reply Last reply Reply Quote 0
                      • T
                        tester_02
                        last edited by

                        Updated today.  registered rules.

                        snort[21022]: FATAL ERROR: Warning: /usr/local/etc/snort/rules/netbios.rules(80) => Unknown keyword ' detection_filter' in rule!

                        1 Reply Last reply Reply Quote 0
                        • J
                          jamesdean
                          last edited by

                          Tester

                          Do me a fav, post line 80 from this file /usr/local/etc/snort/rules/netbios.rules.

                          Does it match this.

                          alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2924; rev:3;)

                          If so the old snort package has to be moved to snort versiion 2.8.5.3.

                          1 Reply Last reply Reply Quote 0
                          • T
                            tester_02
                            last edited by

                            my freebsd skills suck, but I did vi in and get this info….

                            alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure";
                            flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1
                            ; content:"m|00 00 C0|"; within:4; detection_filter:track by_dst,count 10,seconds 60; clas
                            stype:unsuccessful-user; sid:2924; rev:4;)

                            does that help?

                            1 Reply Last reply Reply Quote 0
                            • J
                              jamesdean
                              last edited by

                              tester_02

                              Thanks for the help tester. Yes, seems snort.org rules are for the current 2.8.5.x binary.

                              Its cool I'll just up date the binaries after testing today.

                              James

                              1 Reply Last reply Reply Quote 0
                              • R
                                Roodawakening
                                last edited by

                                Good to see you back, jamesdean.

                                Question…I always have to reconfigure Snort when there's a new version. Any way to maintain the old settings with a new version?

                                "The descent to hell is easy. The gates stand open day and night. But to reclimb the slope and escape to the upper air: This is labor."
                                –Virgil, Aeneid, Book 6

                                Rob

                                1 Reply Last reply Reply Quote 0
                                • J
                                  jamesdean
                                  last edited by

                                  @Roodawakening:

                                  Good to see you back, jamesdean.

                                  Question…I always have to reconfigure Snort when there's a new version. Any way to maintain the old settings with a new version?

                                  You should be able use Diagnostics: Backup/restore tab and select Package Manager.

                                  I should add this to the FAQ.

                                  Thanx for the support Roodawakening.

                                  Always glad to see a old pfsense user here.

                                  James

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    TreeTopFlyer
                                    last edited by

                                    James

                                    Concerning the porn.rules issue, I uninstalled the Snort package, cleaned the config.xml of Snort related data, rebooted, re-installed Snort and dl'ed the new ruleset.  Porn.rules was no longer an option under categories and everything is running fine now.  I have always used just the standard oink code rules and porn.rules was always an option under categories and ran fine.  I did notice when I cleaned out the config.xml that porn.rules was listed in there even though I had de-selected it.

                                    Thanx again for all your help.

                                    1 Reply Last reply Reply Quote 0
                                    • G
                                      g4m3c4ck
                                      last edited by

                                      Err. I am an idiot. I saw this today and still allowed it to update today.

                                      "Snort rule packages for Subscribers and Registered Users track the latest patch release for any major version. This means that rule packages may make use of features that only exist in the latest version of Snort. A simple example is: If 2.8.4 is the current version of Snort then the snortrules-snapshot-2.8 packages might use features not available in 2.8.3.2 and earlier."

                                      Going to attempt to remove it from config.xml and reinstall.

                                      1 Reply Last reply Reply Quote 0
                                      • G
                                        g4m3c4ck
                                        last edited by

                                        I got it working again.

                                        1.) As always backup! Diagnostics>Backup/Restore. Go ahead and backup ALL as well as Package Manager

                                        1. Since a few of the Categories were junk or no longer with the recent rules I went ahead and went System>Packages> (Installed Packages)
                                              Go down to the XML icon put your mouse over it first to make sure is saw "Reinstall the packages GUI"

                                        2. Check Categories and make sure in is empty

                                        3. Run Update Rules again.

                                        4. Check the system log and see if anything failed

                                        For me I have to comment out this line by adding the # /usr/local/etc/snort/snort.conf

                                        include $RULE_PATH/web-misc.so.rules

                                        1. If you still get rule failures disable the rules that are failing one by one. I only had a few that were failing. After that everything works. Just remember not to let I update until the new package can be released.
                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.