Snort[90724]: FATAL ERROR: fpcreate.c(1541) Failed to compile port group pattern



  • Hi guy,

    After the last udpate i have this message after many Time.

    Pfsense install

    2.1.2-RELEASE (i386)
    built on Thu Apr 10 05:23:34 EDT 2014
    FreeBSD 8.3-RELEASE-p15

    Snort Install

    snort Security 2.9.6.0 pkg v3.0.6

    And after this install the Pfsense running slow (i see i read other topic but find nothing).

    I desinstall snort and reinstall but the same.

    Any people as some answers !!!

    Regards

    JN



  • @Jeannoel:

    Hi guy,

    After the last udpate i have this message after many Time.

    Pfsense install

    2.1.2-RELEASE (i386)
    built on Thu Apr 10 05:23:34 EDT 2014
    FreeBSD 8.3-RELEASE-p15

    Snort Install

    snort Security 2.9.6.0 pkg v3.0.6

    And after this install the Pfsense running slow (i see i read other topic but find nothing).

    I desinstall snort and reinstall but the same.

    Any people as some answers !!!

    Regards

    JN

    You more than likely have something wrong either with Port Alias (those would be defined under Firewall…Aliases and then assigned on the Variables tab in Snort), or you have some really wrong with part of your saved configuration.  That particular file throwing the error is part of the Fast Pattern Matcher code in Snort responsible for generating port groups.

    I know it's a radical solution, but you might be better off to uncheck the "save settings on deinstall" checkbox on the Global Settings tab, remove the Snort package, reinstall it, and the configure again from scratch with a clean slate.

    Bill



  • Thanks Bill for your reply.

    I suppressed the whitlist who use an frirewall alias and re-create then. Today no crash.

    I wait… and it's not good, i uninstall completly Snort for an new default config.

    Do you knows where i can find an suppress list for false positiv. I see one topic but Asterix and other member are not the same opinion that him.

    Thks

    jn



  • @Jeannoel:

    Thanks Bill for your reply.

    I suppressed the whitlist who use an frirewall alias and re-create then. Today no crash.

    I wait… and it's not good, i uninstall completly Snort for an new default config.

    Do you knows where i can find an suppress list for false positiv. I see one topic but Asterix and other member are not the same opinion that him.

    Thks

    jn

    There is no "official" suppress list.  The posts here on the Forum are likely the best you will find.  I think the lists posted here are pretty good.

    Bill



  • hi,

    Finaly i reinstall default config and now it's works.

    I have other question. It normal the amount of memory with all free rules selected.

    Snort VRT Rules
    Snort GPLv2 Community Rules
    Emerging Threats Open Rules

    13% of 3042 MB

    regards jn



  • @Jeannoel:

    hi,

    Finaly i reinstall default config and now it's works.

    I have other question. It normal the amount of memory with all free rules selected.

    Snort VRT Rules
    Snort GPLv2 Community Rules
    Emerging Threats Open Rules
     
    13% of 3042 MB

    regards jn

    Remember there is more to enabling the rules than simply checking the three boxes on the GLOBAL SETTINGS tab.  Those boxes select which rule vendors you will be using to download rule packages.  You then have to download those packages on the UPDATES tab, then you go to the CATEGORIES tab and select which rule categories you want to use from those enabled rule packages.  The Snort How-To sticky in this Forum has more details if this is new to you.  If you have already done these things, then please ignore this paragraph… :D

    Snort memory consumption is a product of two variables:  number of active rules and number of active sessions.  So a lot of rules with not much traffic is not going to consume a ton of memory.  That's my case with my home firewall.  On the other hand, even a few rules with lots of sessions can eat up memory.  But generally speaking, the more enabled rules you have, the more memory will be consumed.  And if you have lots of enabled rules and a very busy network, then memory consumption can shoot way up to 4 GB and even quite a bit more.

    Bill



  • Thks but before the update, Snort and Pfsense with the same rules selected my memories are up to 80%. And now is 13% for> 100 rules.

    Is my home network and no big trafic.

    OK them works fine and the memories is low therefore  I think is OK.

    Thks for your answers snort is very fine but complex.

    Nice day

    Jn



  • I'm getting the same issue:

    Jun 16 18:18:27	snort[42209]: FATAL ERROR: fpcreate.c(1541) Failed to compile port group patterns.
    Jun 16 17:41:27	kernel: ue0: promiscuous mode enabled
    Jun 16 17:37:22	SnortStartup[59099]: Snort START for WAN(4176_ue0)...
    Jun 16 17:37:18	SnortStartup[38320]: Snort STOP for WAN(4176_ue0)...
    Jun 16 17:37:06	check_reload_status: Reloading filter
    Jun 16 17:37:03	check_reload_status: Syncing firewall
    Jun 16 17:34:24	kernel: ue0: promiscuous mode disabled
    Jun 16 17:34:23	snort[96805]: FATAL ERROR: fpcreate.c(1541) Failed to compile port group patterns.
    Jun 16 17:32:54	php: /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for WAN (ue0)...
    Jun 16 17:32:54	php: /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for WAN (ue0)...
    Jun 16 17:32:51	check_reload_status: Syncing firewall
    Jun 16 17:32:49	check_reload_status: Syncing firewall
    Jun 16 17:32:37	check_reload_status: Syncing firewall
    Jun 16 17:27:23	kernel: ue0: promiscuous mode enabled
    Jun 16 17:23:18	SnortStartup[55948]: Snort START for WAN(4176_ue0)...
    

    Running in AC, plenty of RAM. Seems to occur when a lot of traffic goes through the connection and snort maxes out at 100% for a bit.

    Tried de-installing/etc. No luck. Any thoughts?


  • Moderator

    @Fmstrat:

    I'm getting the same issue:

    Running in AC, plenty of RAM. Seems to occur when a lot of traffic goes through the connection and snort maxes out at 100% for a bit.

    Tried de-installing/etc. No luck. Any thoughts?

    I have one box with "AC" and others are using "AC-BNFA-NQ", I haven't had any crashes. Only thing I see infrequently is Snort just dropping on "Signal 11" without any other error messages.

    Do you have all of the Pre-Processors enabled in Snort? Maybe one of the rules is trying to call a disabled pre-processor?



  • @BBcan177:

    @Fmstrat:

    I'm getting the same issue:

    Running in AC, plenty of RAM. Seems to occur when a lot of traffic goes through the connection and snort maxes out at 100% for a bit.

    Tried de-installing/etc. No luck. Any thoughts?

    I have one box with "AC" and others are using "AC-BNFA-NQ", I haven't had any crashes. Only thing I see infrequently is Snort just dropping on "Signal 11" without any other error messages.

    Do you have all of the Pre-Processors enabled in Snort? Maybe one of the rules is trying to call a disabled pre-processor?

    I have all of them enabled except sensitive data. My hardware setup is an internal NIC for LAN, and a USB NIC for WAN. I tried switching snort over to the LAN and it seems to function fine there, so I'm wondering if the issue is somehow related to the network card itself. Is that even physically possible given snort's architecture?

    As I look at the snort blocks', I'm actually curious as to if running on the LAN is better. When I run on WAN, I can't see which internal IP is engaged in the connection that causes the alert, making it very hard to trace sources. However, when it's on the LAN, all the alerts display the internal IP and the blocks show the external IP, which makes it much easier to debug. Is there any downside to running on the LAN end of things? Seems the benefit would be scanning internal traffic for infected machine, but the downside would be missing external attackers that are scanning ports that are already blocked by the firewall (which shouldn't matter, really.) Thoughts?

    Ben

    P.S. Unfortunately, I probably won't get back to the script we discussed until next week.


  • Moderator

    @Fmstrat:

    I have all of them enabled except sensitive data. My hardware setup is an internal NIC for LAN, and a USB NIC for WAN. I tried switching snort over to the LAN and it seems to function fine there, so I'm wondering if the issue is somehow related to the network card itself. Is that even physically possible given snort's architecture?

    As I look at the snort blocks', I'm actually curious as to if running on the LAN is better. When I run on WAN, I can't see which internal IP is engaged in the connection that causes the alert, making it very hard to trace sources. However, when it's on the LAN, all the alerts display the internal IP and the blocks show the external IP, which makes it much easier to debug. Is there any downside to running on the LAN end of things? Seems the benefit would be scanning internal traffic for infected machine, but the downside would be missing external attackers that are scanning ports that are already blocked by the firewall (which shouldn't matter, really.) Thoughts?

    Ben

    P.S. Unfortunately, I probably won't get back to the script we discussed until next week.

    I don't think you will get good success with USB NICs on pfSense.

    The LAN will show a little more detail. If you want more, you need a full IDS like "Security Onion" installed after pfSense or before it.

    Bill does recommend that a smaller list be put on the WAN like Port scans, Cins, Compromised, Drops, etc… and than as many rules on the LAN that it can handle (without the rules you don't require for your network)

    If you use pfBlocker (or my script  ;) ), you could also avoid the Cins, Drops, Compromised on the WAN as Snort sees a copy of the packets first before pfBlocker and they will both Log the same packets.

    Make sure you check out my Github Gist for recent changes to the script.

    Thanks.


Log in to reply