Snort no longer starts - rules problem?



  • Hi,

    I'm running pfSense 2.01-Release and Snort 2.9.1 pkg v. 2.0.2 …Snort failed to restart after an automatic rules update (or after my attempt to update the rules and restart manually) with the following errors in the system log:

    Jan 20 10:10:18 snort[57080]: WARNING /usr/local/etc/snort/snort_23958_em2/rules/emerging-dos.rules(100) threshold (in rule) is deprecated; use detection_filter instead.
    Jan 20 10:10:18 snort[57080]: WARNING /usr/local/etc/snort/snort_23958_em2/rules/emerging-dos.rules(100) threshold (in rule) is deprecated; use detection_filter instead.
    Jan 20 10:10:21 snort[57080]: FATAL ERROR: /usr/local/etc/snort/snort_23958_em2/rules/snort_web-client.rules(142) ***PortVar Lookup failed on '$FILE_DATA_PORTS'.
    Jan 20 10:10:21 snort[57080]: FATAL ERROR: /usr/local/etc/snort/snort_23958_em2/rules/snort_web-client.rules(142) ***PortVar Lookup failed on '$FILE_DATA_PORTS'.

    Any ideas? Thanks very much….



  • A subsequent search revealed the solution:

    Specifically, I needed to add 'portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]' to 'Advanced configuration pass through' on Snort's 'If Settings' tab via the gui.

    Thx…



  • I seem to be having the same issue. Snort will get updates automatically and then stop working. Snort seems to be a package that does not work well. Issues with Snort on pfsense has always had issues for years now. I am almost finding the Snort package to be unreliable. Just look at the package fourm section, almost every other post has to do with some sort of Snort issue. Personally I find it hard to believe the package is labeled correctly as being stable.



  • @Slab:

    A subsequent search revealed the solution:

    Specifically, I needed to add 'portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]' to 'Advanced configuration pass through' on Snort's 'If Settings' tab via the gui.

    Thx…

    Worked for me, too.  I have no idea what I just opened up on my firewall, but it's working.

    Thanks
    AWS



  • @awsiemieniec:

    Worked for me, too.  I have no idea what I just opened up on my firewall, but it's working.

    Nothing at all, you just set a variable That is read by snort.


Locked