Cannot start snort after last update :( ByteExtract variable '^Authorization\x3A
-
the offending rule is in /usr/local/lib/snort/dynamicrules/web-misc.so
Turning off the http preprocessor suppresses the message, but breaks the multitude of rules depending upon it.
-
Did anyone find a fix for this? I upgraded today and for the life of me, I cant get snort to start.. Snort fails to start and i see this error in the logs
snort[1403]: FATAL ERROR: ByteExtract variable '^Authorization\x3A\s*Basic[ \t]+' in rule [3:13308] is used before it is defined.I have disabled the .so and all the web rules even all the snort rules. I have even turned all of the rules off including the preprocessor and still get the error. I have removed the package many times and reinstalled it… Is there away to go to the previous version of this package? It was running just fine for me.. This update just will not run at all.
-
Well i removed everything again.. did a find for anything named snort and found /usr/local/lib/snort/dynamicrules . removed it and now with no rules i can start snort again.. will start to add rules back to see if all is well… looks like its left behind or some data is messed up when upgrading.
-
I'm going to try the same.
-
Uninstalling, deleting the contents of /usr/local/lib/snort/dynamicrules, and reinstalling got me back up and running.
Thanks for the help.
-
Yep I am back up and running with all rules as I had them before. So if anyone else has the same issue this should fix it.
-
After updating the packages (to 2.9.2.3 pkg v. 2.2.1) I got the same problem (FATAL ERROR: ByteExtract variable …).
After deleting the contents of /usr/local/lib/snort/dynamicrules, reinstalling the snort package, and updating the rule sets the snort service is now running without any error messages in the system log.
But, there seem to be no alerts anymore. E.g. enabling the p2p rules and running uTorrent on a client computer does not trigger any alert (as it did before the update). After reinstalling the snort package and the rules, the dynamicrules directory is still empty. Does anybody know whether this is is supposed to be so, or are some files missing in the latest package? It could also be that the p2p rules are no longer able to catch the p2p traffic of the recent uTorrent clients (but I doubt that).
-
I am not sure. I can test later on. I have noticed since the last update, that I am getting triple the alerts in the alerts tab for every alert now and the memory consumption of Snort keeps climbing. It was almost at a gig of memory after one day of getting this package up and running and it has never been that high.. Its set to the default (low end system setting). So I am thinking I am going to have to reinstall it again… also on the blocked tab, the alert column for the blocked hosts always have n/a.. Guessing it cant determine what alert to put there since its triplicated on the alerts tab.. I knew I should have left it alone. Its been working so well for so long.. darn those updates lol..
-
After loading the last working configuration I got some new error messages (having 2 interfaces defined):
snort[35598]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_2791_em0//usr/local/etc/snort/snort_2791_em0/reference.config": No such file or directory. ... snort[42473]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_52881_em1//usr/local/etc/snort/snort_52881_em1/reference.config": No such file or directory.
Inside the snort.conf files the paths are correct, so I guess the duplication happens somewhere in the php code. Before I went back to the backup config file, the path duplication occurred only on one of the interfaces (where I changed some parameters before).
Update Forget about this–-these messages were related to not updating the rule sets...
Alerting still doesn't work.
-
The system log says:
... snort[3342]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicrules. ...
Currently it looks as if this is the reason why snort does not want to work properly. Obviously, reinstallation did not work.
After disabling the snort.org *.so rules and enabling the more or less corresponding emergingthreads.net rules, the system works as expected and offenders are blocked again. Does anybody know where the content from dynamicrules is supposed to come from? The packages from files.pfsense.org seem to contain only an example module.