Error message on snort startup



  • Hi,

    Am new to pfsense, having installed in a basic vanilla mode a few weeks ago, with no addons. Version is 1.2.3. No problems thus far and looks a very well sorted piece of software. Am running a two layer firewall, pfsense outer and ipcop inner.

    Installed snort this afternoon with no problems and downloaded the latest ruleset. Looking at the system logfile after a reboot, I get two messages of the form:

    snort[1069]: FATAL ERROR: /usr/local/etc/snort/snort_31447_fxp0/rules/attack-responses.rules(32) Please enable the HTTP Inspect preprocessor before using the http content modifiers.

    Not really sure what the reference to the "HTTP Inspect preprocessor" refers to. Any pointers appreciated. I don't have barnyard2 logfile target enabled at present, as it seemed easier to target the system logfile to start with.

    Regards,

    Chris



  • @ChrisQ:

    Hi,

    Am new to pfsense, having installed in a basic vanilla mode a few weeks ago, with no addons. Version is 1.2.3. No problems thus far and looks a very well sorted piece of software. Am running a two layer firewall, pfsense outer and ipcop inner.

    Installed snort this afternoon with no problems and downloaded the latest ruleset. Looking at the system logfile after a reboot, I get two messages of the form:

    snort[1069]: FATAL ERROR: /usr/local/etc/snort/snort_31447_fxp0/rules/attack-responses.rules(32) Please enable the HTTP Inspect preprocessor before using the http content modifiers.

    Not really sure what the reference to the "HTTP Inspect preprocessor" refers to. Any pointers appreciated. I don't have barnyard2 logfile target enabled at present, as it seemed easier to target the system logfile to start with.

    Regards,

    Chris

    Hey Chris!

    Problem is that you need to enable the HTTP inspect preprocessor. To do that…

    1. Login to pfSense and click on Services / Snort tab
    2. Under "Snort Interfaces" click the edit button next to your interface
    3. Click on the "Preprocessors" tab
    4. Under "HTTP Inspect Settings" section put a checkmark in "Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies."

    It should tell you at the top that the Snort service needs to be restarted, if it doesn't just go back to the "Snort Interfaces" and click the red stop button and then the green start button to restart the service.

    Should be good to go after that, good luck and have a great night!

    Gabriel



  • Hey Chris!

    Problem is that you need to enable the HTTP inspect preprocessor. To do that…

    Thanks - made the changes and still got some fatal errors on startup, but these were related to the snort rule files. Deleted one rule line in /usr/local/etc/snort/snort_31447_fxp0/rules/exploit.rules and around 6 in ..specific-threat.rules and everything now starts up without any errors. Can't say I completely know what i'm doing here, but all seems to work.

    It's my first introduction to FreeBSD and their seem to be a whole load of options in pfsense that I don't recognise at all, so will have to get FreeBSD installed on an old machine later in the year to see how all the bits fit together.

    Had an uptime almost since install, with constant memory usage, so no memory leaks and a very robust, fit and forget system thus far...

    Regards,

    Chris


Log in to reply