Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort[90724]: FATAL ERROR: fpcreate.c(1541) Failed to compile port group pattern

    Scheduled Pinned Locked Moved pfSense Packages
    11 Posts 4 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JeanNoJ
      JeanNo
      last edited by

      Hi guy,

      After the last udpate i have this message after many Time.

      Pfsense install

      2.1.2-RELEASE (i386)
      built on Thu Apr 10 05:23:34 EDT 2014
      FreeBSD 8.3-RELEASE-p15

      Snort Install

      snort Security 2.9.6.0 pkg v3.0.6

      And after this install the Pfsense running slow (i see i read other topic but find nothing).

      I desinstall snort and reinstall but the same.

      Any people as some answers !!!

      Regards

      JN

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @Jeannoel:

        Hi guy,

        After the last udpate i have this message after many Time.

        Pfsense install

        2.1.2-RELEASE (i386)
        built on Thu Apr 10 05:23:34 EDT 2014
        FreeBSD 8.3-RELEASE-p15

        Snort Install

        snort Security 2.9.6.0 pkg v3.0.6

        And after this install the Pfsense running slow (i see i read other topic but find nothing).

        I desinstall snort and reinstall but the same.

        Any people as some answers !!!

        Regards

        JN

        You more than likely have something wrong either with Port Alias (those would be defined under Firewall…Aliases and then assigned on the Variables tab in Snort), or you have some really wrong with part of your saved configuration.  That particular file throwing the error is part of the Fast Pattern Matcher code in Snort responsible for generating port groups.

        I know it's a radical solution, but you might be better off to uncheck the "save settings on deinstall" checkbox on the Global Settings tab, remove the Snort package, reinstall it, and the configure again from scratch with a clean slate.

        Bill

        1 Reply Last reply Reply Quote 0
        • JeanNoJ
          JeanNo
          last edited by

          Thanks Bill for your reply.

          I suppressed the whitlist who use an frirewall alias and re-create then. Today no crash.

          I wait… and it's not good, i uninstall completly Snort for an new default config.

          Do you knows where i can find an suppress list for false positiv. I see one topic but Asterix and other member are not the same opinion that him.

          Thks

          jn

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @Jeannoel:

            Thanks Bill for your reply.

            I suppressed the whitlist who use an frirewall alias and re-create then. Today no crash.

            I wait… and it's not good, i uninstall completly Snort for an new default config.

            Do you knows where i can find an suppress list for false positiv. I see one topic but Asterix and other member are not the same opinion that him.

            Thks

            jn

            There is no "official" suppress list.  The posts here on the Forum are likely the best you will find.  I think the lists posted here are pretty good.

            Bill

            1 Reply Last reply Reply Quote 0
            • JeanNoJ
              JeanNo
              last edited by

              hi,

              Finaly i reinstall default config and now it's works.

              I have other question. It normal the amount of memory with all free rules selected.

              Snort VRT Rules
              Snort GPLv2 Community Rules
              Emerging Threats Open Rules

              13% of 3042 MB

              regards jn

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @Jeannoel:

                hi,

                Finaly i reinstall default config and now it's works.

                I have other question. It normal the amount of memory with all free rules selected.

                Snort VRT Rules
                Snort GPLv2 Community Rules
                Emerging Threats Open Rules
                 
                13% of 3042 MB

                regards jn

                Remember there is more to enabling the rules than simply checking the three boxes on the GLOBAL SETTINGS tab.  Those boxes select which rule vendors you will be using to download rule packages.  You then have to download those packages on the UPDATES tab, then you go to the CATEGORIES tab and select which rule categories you want to use from those enabled rule packages.  The Snort How-To sticky in this Forum has more details if this is new to you.  If you have already done these things, then please ignore this paragraph… :D

                Snort memory consumption is a product of two variables:  number of active rules and number of active sessions.  So a lot of rules with not much traffic is not going to consume a ton of memory.  That's my case with my home firewall.  On the other hand, even a few rules with lots of sessions can eat up memory.  But generally speaking, the more enabled rules you have, the more memory will be consumed.  And if you have lots of enabled rules and a very busy network, then memory consumption can shoot way up to 4 GB and even quite a bit more.

                Bill

                1 Reply Last reply Reply Quote 0
                • JeanNoJ
                  JeanNo
                  last edited by

                  Thks but before the update, Snort and Pfsense with the same rules selected my memories are up to 80%. And now is 13% for> 100 rules.

                  Is my home network and no big trafic.

                  OK them works fine and the memories is low therefore  I think is OK.

                  Thks for your answers snort is very fine but complex.

                  Nice day

                  Jn

                  1 Reply Last reply Reply Quote 0
                  • F
                    Fmstrat
                    last edited by

                    I'm getting the same issue:

                    Jun 16 18:18:27	snort[42209]: FATAL ERROR: fpcreate.c(1541) Failed to compile port group patterns.
                    Jun 16 17:41:27	kernel: ue0: promiscuous mode enabled
                    Jun 16 17:37:22	SnortStartup[59099]: Snort START for WAN(4176_ue0)...
                    Jun 16 17:37:18	SnortStartup[38320]: Snort STOP for WAN(4176_ue0)...
                    Jun 16 17:37:06	check_reload_status: Reloading filter
                    Jun 16 17:37:03	check_reload_status: Syncing firewall
                    Jun 16 17:34:24	kernel: ue0: promiscuous mode disabled
                    Jun 16 17:34:23	snort[96805]: FATAL ERROR: fpcreate.c(1541) Failed to compile port group patterns.
                    Jun 16 17:32:54	php: /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for WAN (ue0)...
                    Jun 16 17:32:54	php: /snort/snort_alerts.php: [Snort] Snort RELOAD CONFIG for WAN (ue0)...
                    Jun 16 17:32:51	check_reload_status: Syncing firewall
                    Jun 16 17:32:49	check_reload_status: Syncing firewall
                    Jun 16 17:32:37	check_reload_status: Syncing firewall
                    Jun 16 17:27:23	kernel: ue0: promiscuous mode enabled
                    Jun 16 17:23:18	SnortStartup[55948]: Snort START for WAN(4176_ue0)...
                    

                    Running in AC, plenty of RAM. Seems to occur when a lot of traffic goes through the connection and snort maxes out at 100% for a bit.

                    Tried de-installing/etc. No luck. Any thoughts?

                    1 Reply Last reply Reply Quote 0
                    • BBcan177B
                      BBcan177 Moderator
                      last edited by

                      @Fmstrat:

                      I'm getting the same issue:

                      Running in AC, plenty of RAM. Seems to occur when a lot of traffic goes through the connection and snort maxes out at 100% for a bit.

                      Tried de-installing/etc. No luck. Any thoughts?

                      I have one box with "AC" and others are using "AC-BNFA-NQ", I haven't had any crashes. Only thing I see infrequently is Snort just dropping on "Signal 11" without any other error messages.

                      Do you have all of the Pre-Processors enabled in Snort? Maybe one of the rules is trying to call a disabled pre-processor?

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      1 Reply Last reply Reply Quote 0
                      • F
                        Fmstrat
                        last edited by

                        @BBcan177:

                        @Fmstrat:

                        I'm getting the same issue:

                        Running in AC, plenty of RAM. Seems to occur when a lot of traffic goes through the connection and snort maxes out at 100% for a bit.

                        Tried de-installing/etc. No luck. Any thoughts?

                        I have one box with "AC" and others are using "AC-BNFA-NQ", I haven't had any crashes. Only thing I see infrequently is Snort just dropping on "Signal 11" without any other error messages.

                        Do you have all of the Pre-Processors enabled in Snort? Maybe one of the rules is trying to call a disabled pre-processor?

                        I have all of them enabled except sensitive data. My hardware setup is an internal NIC for LAN, and a USB NIC for WAN. I tried switching snort over to the LAN and it seems to function fine there, so I'm wondering if the issue is somehow related to the network card itself. Is that even physically possible given snort's architecture?

                        As I look at the snort blocks', I'm actually curious as to if running on the LAN is better. When I run on WAN, I can't see which internal IP is engaged in the connection that causes the alert, making it very hard to trace sources. However, when it's on the LAN, all the alerts display the internal IP and the blocks show the external IP, which makes it much easier to debug. Is there any downside to running on the LAN end of things? Seems the benefit would be scanning internal traffic for infected machine, but the downside would be missing external attackers that are scanning ports that are already blocked by the firewall (which shouldn't matter, really.) Thoughts?

                        Ben

                        P.S. Unfortunately, I probably won't get back to the script we discussed until next week.

                        1 Reply Last reply Reply Quote 0
                        • BBcan177B
                          BBcan177 Moderator
                          last edited by

                          @Fmstrat:

                          I have all of them enabled except sensitive data. My hardware setup is an internal NIC for LAN, and a USB NIC for WAN. I tried switching snort over to the LAN and it seems to function fine there, so I'm wondering if the issue is somehow related to the network card itself. Is that even physically possible given snort's architecture?

                          As I look at the snort blocks', I'm actually curious as to if running on the LAN is better. When I run on WAN, I can't see which internal IP is engaged in the connection that causes the alert, making it very hard to trace sources. However, when it's on the LAN, all the alerts display the internal IP and the blocks show the external IP, which makes it much easier to debug. Is there any downside to running on the LAN end of things? Seems the benefit would be scanning internal traffic for infected machine, but the downside would be missing external attackers that are scanning ports that are already blocked by the firewall (which shouldn't matter, really.) Thoughts?

                          Ben

                          P.S. Unfortunately, I probably won't get back to the script we discussed until next week.

                          I don't think you will get good success with USB NICs on pfSense.

                          The LAN will show a little more detail. If you want more, you need a full IDS like "Security Onion" installed after pfSense or before it.

                          Bill does recommend that a smaller list be put on the WAN like Port scans, Cins, Compromised, Drops, etc… and than as many rules on the LAN that it can handle (without the rules you don't require for your network)

                          If you use pfBlocker (or my script  ;) ), you could also avoid the Cins, Drops, Compromised on the WAN as Snort sees a copy of the packets first before pfBlocker and they will both Log the same packets.

                          Make sure you check out my Github Gist for recent changes to the script.

                          Thanks.

                          "Experience is something you don't get until just after you need it."

                          Website: http://pfBlockerNG.com
                          Twitter: @BBcan177  #pfBlockerNG
                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.