Snort 2.9.3 v2.4.0 no alerts, no blocking…

  • updated snort, but now no alerts nor blocking works. :(

    logs in /var/log/snort are empty.

  • Just check to see that your rules and preprocessors are enabled.

  • Updating the package and the rules work, but starting up fails with this message in the system logs:

    snort[10689]: FATAL ERROR: /usr/local/etc/snort/snort_2791_em0/snort.conf(120) => Failed to parse: No end brace found

  • same here

  • Heh fixed the ssl port definition of ports.
    I had tested it with custom SSL ignore range.

    Anyway in 15 minutes will be safe to upgrade and issue will be fixed.

  • @miles267:

    ugh.  snort seems to get progressively worse with each build.  hasn't functioned reliably in months.  next time I get it to work, no way I'm updating again.  now:

    Thank you for helping in testing.

  • Updated to: Snort pkg v. 2.4.1

    Noticed that no matter what I enter into the If Settings > 'Advanced Configuration Pass Through' dialog box, it gets converted to a string of random characters.

    For example, if I enter: portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] and SAVE.  When I go back, it will then display in the same dialog box:


    Also, despite entering: 443 563
    into the Define SSL_IGNORE dialog box, snort still will not start.  And returns the following:

    snort[26571]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(54) Missing argument to SSL_PORTS_IGNORE

  • Fixed also.
    Again test after 15minutes.

  • @ermal:

    Fixed also.
    Again test after 15minutes.

    OK - great.  Will there be a 2.4.2? or have you already fixed 2.4.1?  I've re-installed 2.4.1 as of 7:30 PM CT but the same issue persists.  Perhaps I updated too soon.

  • install went well but snort isn't alerting. Usually a common port scan from will generate an alert

  • Reinstall with latest fixes it should behave better.

  • deinstalled snort, installed it newly, did a reboot after updating, snort started, but still no alerts nor blocking… :(
    But at all the overhaul was great! Behaves much better!!!!

    edit: snort started reporting alerts, but still no blocking :(

Log in to reply