Snort cannot start



  • After update today with 2.1.2-RELEASE (i386)  my snort package cannot start !
    In system logs i have some error messages :

    Apr 12 14:54:06	snort[87727]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/rules/snort.rules(425) Unknown rule option: 'sd_pattern'.
    Apr 12 14:54:05	SnortStartup[87478]: Snort START for WAN(37769_xl0)...
    Apr 12 14:54:01	php: servicewatchdog_cron.php: Service Watchdog detected service snort stopped. Restarting snort (Snort IDS/IPS Daemon)
    Apr 12 14:53:56	snort[61180]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/rules/snort.rules(425) Unknown rule option: 'sd_pattern'.
    Apr 12 14:53:55	SnortStartup[60890]: Snort START for WAN(37769_xl0)...
    Apr 12 14:53:37	snort[56100]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/rules/snort.rules(425) Unknown rule option: 'sd_pattern'.
    Apr 12 14:53:36	SnortStartup[56078]: Snort START for WAN(37769_xl0)...
    Apr 12 14:53:06	snort[32694]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/rules/snort.rules(425) Unknown rule option: 'sd_pattern'.
    Apr 12 14:53:05	SnortStartup[32677]: Snort START for WAN(37769_xl0)...
    Apr 12 14:53:01	php: servicewatchdog_cron.php: Service Watchdog detected service snort stopped. Restarting snort (Snort IDS/IPS Daemon)
    Apr 12 14:52:58	php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 37769 -D -q -l /var/log/snort/snort_xl037769 --pid-path /var/run --nolock-pidfile -G 37769 -c /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/snort.conf -i xl0' returned exit code '1', the output was ''
    Apr 12 14:52:58	snort[28863]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/rules/snort.rules(425) Unknown rule option: 'sd_pattern'.
    Apr 12 14:52:57	php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(xl0)...
    Apr 12 14:52:56	check_reload_status: Syncing firewall
    Apr 12 14:52:53	check_reload_status: Syncing firewall
    

    Any suggestions ?



  • So i discover the problem by myself in line 425 with: 
    ee /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/rules/snort.rules

    
    alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:s
    
    

    So in respective menu: Snort –> Snort interfaces --> Edit Snort interface mapping --> Wan preprocs

    I tick Enable  "Sensitive data searches for credit card numbers, Social Security numbers and e-mail addresses in data.
    Note: To enable this preprocessor, you must select the Snort VRT rules on the Global Settings tab."

    And now everything is fine snort running fine !



  • asphyx
    Thank´s, this work for me!.


Log in to reply