Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot start snort after last update :( ByteExtract variable '^Authorization\x3A

    Scheduled Pinned Locked Moved pfSense Packages
    12 Posts 4 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      whiggy
      last edited by

      I need help please. After the last update I get the follow error if I try to start snort:

      FATAL ERROR: ByteExtract variable '^Authorization\x3A\s*Basic[ \t]+' in rule [3:13308] is used before it is defined.

      It makes no difference whether I have any rules active or not.

      1 Reply Last reply Reply Quote 0
      • _
        __ivy__
        last edited by

        I've got the same issue. No amount of resinstalling helps.

        1 Reply Last reply Reply Quote 0
        • _
          __ivy__
          last edited by

          the offending rule is in /usr/local/lib/snort/dynamicrules/web-misc.so

          Turning off the http preprocessor suppresses the message, but breaks the multitude of rules depending upon it.

          1 Reply Last reply Reply Quote 0
          • K
            kilthro
            last edited by

            Did anyone find a fix for this? I upgraded today and for the life of me, I cant get snort to start.. Snort fails to start and i see this error in the logs
            snort[1403]: FATAL ERROR: ByteExtract variable '^Authorization\x3A\s*Basic[ \t]+' in rule [3:13308] is used before it is defined.

            I have disabled the .so and all the web rules even all the snort rules. I have even turned all of the rules off including the preprocessor and still get the error. I have removed the package many times and reinstalled it… Is there away to go to the previous version of this package? It was running just fine for me.. This update just will not run at all.

            1 Reply Last reply Reply Quote 0
            • K
              kilthro
              last edited by

              Well i removed everything again.. did a find for anything named snort and found /usr/local/lib/snort/dynamicrules  . removed it and now with no rules i can start snort again.. will start to add rules back to see if all is well… looks like its left behind or some data is messed up when upgrading.

              1 Reply Last reply Reply Quote 0
              • _
                __ivy__
                last edited by

                I'm going to try the same.

                1 Reply Last reply Reply Quote 0
                • _
                  __ivy__
                  last edited by

                  Uninstalling, deleting the contents of /usr/local/lib/snort/dynamicrules, and reinstalling got me back up and running.

                  Thanks for the help.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kilthro
                    last edited by

                    Yep I am back up and running with all rules as I had them before. So if anyone else has the same issue this should fix it.

                    1 Reply Last reply Reply Quote 0
                    • F
                      Fesoj
                      last edited by

                      After updating the packages (to 2.9.2.3 pkg v. 2.2.1) I got the same problem (FATAL ERROR: ByteExtract variable …).

                      After deleting the contents of /usr/local/lib/snort/dynamicrules, reinstalling the snort package, and updating the rule sets the snort service is now running without any error messages in the system log.

                      But, there seem to be no alerts anymore. E.g. enabling the p2p rules and running uTorrent on a client computer does not trigger any alert (as it did before the update). After reinstalling the snort package and the rules, the dynamicrules directory is still empty. Does anybody know whether this is is supposed to be so, or are some files missing in the latest package? It could also be that the p2p rules are no longer able to catch the p2p traffic of the recent uTorrent clients (but I doubt that).

                      1 Reply Last reply Reply Quote 0
                      • K
                        kilthro
                        last edited by

                        I am not sure. I can test later on. I have noticed since the last update, that I am getting triple the alerts in the alerts tab for every alert now and the memory consumption of Snort keeps climbing.  It was almost at a gig of memory after one day of getting this package up and running and it has never been that high.. Its set to the default (low end system setting). So I am thinking I am going to have to reinstall it again…  also on the blocked tab, the alert column for the blocked hosts always have n/a.. Guessing it cant determine what alert to put there since its triplicated on the alerts tab.. I knew I should have left it alone. Its been working so well for so long.. darn those updates lol..

                        1 Reply Last reply Reply Quote 0
                        • F
                          Fesoj
                          last edited by

                          After loading the last working configuration I got some new error messages (having 2 interfaces defined):

                          snort[35598]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_2791_em0//usr/local/etc/snort/snort_2791_em0/reference.config": No such file or directory.
                          ...
                          snort[42473]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_52881_em1//usr/local/etc/snort/snort_52881_em1/reference.config": No such file or directory.
                          

                          Inside the snort.conf files the paths are correct, so I guess the duplication happens somewhere in the php code. Before I went back to the backup config file, the path duplication occurred only on one of the interfaces (where I changed some parameters before).

                          Update Forget about this–-these messages were related to not updating the rule sets...

                          Alerting still doesn't work.

                          1 Reply Last reply Reply Quote 0
                          • F
                            Fesoj
                            last edited by

                            The system log says:

                            ...
                            snort[3342]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicrules.
                            ...
                            

                            Currently it looks as if this is the reason why snort does not want to work properly. Obviously, reinstallation did not work.

                            After disabling the snort.org *.so rules and enabling the more or less corresponding emergingthreads.net rules, the system works as expected and offenders are blocked again. Does anybody know where the content from dynamicrules is supposed to come from? The packages from files.pfsense.org seem to contain only an example module.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.