Snort cannot start
-
After update today with 2.1.2-RELEASE (i386) my snort package cannot start !
In system logs i have some error messages :Apr 12 14:54:06 snort[87727]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/rules/snort.rules(425) Unknown rule option: 'sd_pattern'. Apr 12 14:54:05 SnortStartup[87478]: Snort START for WAN(37769_xl0)... Apr 12 14:54:01 php: servicewatchdog_cron.php: Service Watchdog detected service snort stopped. Restarting snort (Snort IDS/IPS Daemon) Apr 12 14:53:56 snort[61180]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/rules/snort.rules(425) Unknown rule option: 'sd_pattern'. Apr 12 14:53:55 SnortStartup[60890]: Snort START for WAN(37769_xl0)... Apr 12 14:53:37 snort[56100]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/rules/snort.rules(425) Unknown rule option: 'sd_pattern'. Apr 12 14:53:36 SnortStartup[56078]: Snort START for WAN(37769_xl0)... Apr 12 14:53:06 snort[32694]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/rules/snort.rules(425) Unknown rule option: 'sd_pattern'. Apr 12 14:53:05 SnortStartup[32677]: Snort START for WAN(37769_xl0)... Apr 12 14:53:01 php: servicewatchdog_cron.php: Service Watchdog detected service snort stopped. Restarting snort (Snort IDS/IPS Daemon) Apr 12 14:52:58 php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 37769 -D -q -l /var/log/snort/snort_xl037769 --pid-path /var/run --nolock-pidfile -G 37769 -c /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/snort.conf -i xl0' returned exit code '1', the output was '' Apr 12 14:52:58 snort[28863]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/rules/snort.rules(425) Unknown rule option: 'sd_pattern'. Apr 12 14:52:57 php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(xl0)... Apr 12 14:52:56 check_reload_status: Syncing firewall Apr 12 14:52:53 check_reload_status: Syncing firewall
Any suggestions ?
-
So i discover the problem by myself in line 425 with:
ee /usr/pbi/snort-i386/etc/snort/snort_37769_xl0/rules/snort.rulesalert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:s
So in respective menu: Snort –> Snort interfaces --> Edit Snort interface mapping --> Wan preprocs
I tick Enable "Sensitive data searches for credit card numbers, Social Security numbers and e-mail addresses in data.
Note: To enable this preprocessor, you must select the Snort VRT rules on the Global Settings tab."And now everything is fine snort running fine !
-
asphyx
Thank´s, this work for me!.