Latest SNORT fails to start



  • Hi JamesDean,

    First off, let me THANK YOU for your hard work and kick-ass SNORT package.

    I am having an issue with the latest build I installed this morning (Running 1.2.3 Release with SNORT 2.8.6.1 pkg 1.3.4). I can't get SNORT to start. All I see are these errors in the system log:

    Sep 10 07:22:23 SnortStartup[6459]: Interface Rule START for 0_18690_em0…
    Sep 10 07:22:23 snort[6457]: FATAL ERROR: /usr/local/etc/snort/snort_18690_em0/snort.conf(41) Missing argument to HOME_NET
    Sep 10 07:22:23 snort[6457]: FATAL ERROR: /usr/local/etc/snort/snort_18690_em0/snort.conf(41) Missing argument to HOME_NET
    Sep 10 07:22:23 snort[6457]: Parsing Rules file "/usr/local/etc/snort/snort_18690_em0/snort.conf"
    Sep 10 07:22:23 snort[6457]: Parsing Rules file "/usr/local/etc/snort/snort_18690_em0/snort.conf"

    I tried looking into the snort.conf file, but since I really have no clue what to do there, I saw nothing glaringly wrong… Could you please assist?

    PS: Also, the UPDATE RULES button seems not to work any longer in Opera. :-[



  • I just upgraded as well and I am seeing the exact same thing. I have only done preliminary troubleshooting.

    I attempted to update the rules using Firefox and IE, but neither worked (nothing happens - no errors). Also the tabs across the top of the update screen (for Rule Update, Custom, GUI) don't seem to work.

    I did attempt to uninstall SNORT, followed by a reinstall with no improvement.

    Running 1.2.3 Release with SNORT 2.8.6.1 pkg 1.3.4

    PS: Thanks for all the hard work!



  • Sorry about that.
    Doing code clean up.

    Fixed….

    You can do a reinstall now.

    James



  • Thankee-Sai! Should I remove and re-install now?



  • THANK YOU, it works!

    FYI, since the last build (1.3.3) I show N/A SNORT.ORG rule version after updates. I do have an oinkcode and everything… (screenie attached)

    Am I still getting the snort.org rule updates?




  • Works for me too. Thanks JamesDean.



  • @Pistolero:

    THANK YOU, it works!

    FYI, since the last build (1.3.3) I show N/A SNORT.ORG rule version after updates. I do have an oinkcode and everything… (screenie attached)

    Am I still getting the snort.org rule updates?

    I'll updated on the next release.

    Thank you
    James



  • When it breaks usually jamesdean already knows its broken, I just wait a few hours then try again, if it still doesnt work he has usually posted something on the forum stating whats wrong. He is very quick at fixing problems with the packages he manages. Thank you for all your hard work with this package.



  • Resolved my issue, but I believe I came accross another issue that causes false positives. When I enable SMTP Normalizer under the SNORT Preprocessors. I will get this alert and then the host will get blocked, for example.

    IP: XX.XX.XX.XX  Alert Description: (SMTP) Attempted response buffer overflow 766 chars

    The odd thing about this alert and block is it only happens when our network is e-mailing a remote network mail server, but the attack alert looks like it came from the network we are transmitting the e-mail to???

    No, our network is not infected with some spammer bot, 2nd, our LAN rules only allow outbound SMTP from only one machine and that is our mail server, 3rd, the attack looks like it comes from the remote network but will only generate when someone sends an e-mail to someone from out of our network.

    Why is this a problem, well one they did not send us the e-mail we did, 2nd reason is if they want to reply back to the sent out e-mail, the e-mail will not make it to our mail servers until their IP gets released from the block list.

    Can anyone else reproduce this issue or have exsperienced this with the SMTP normalizer preprocessor. I noticed something odd with the SCAN preprocessor as well, but not sure enough to commit.

    Thanks for any help.



  • I am experiencing the same issue.  Can't find anything on the boards about it.  Anybody?


Log in to reply