SNORT FATAL ERROR: (998) Unknown rule option: 'sip_header'.



  • I came in at work this morning and notice that the Snort Service was NOT running,  i tried to manually start it back but that did not work so i went into Status –> System Logs  to check whats happening. the following logs below is what i saw (see log below at end of post).

    I SSH into my Pfsense box and searched the "snort.rules" file to find the misbehaving rules i managed to narrow it down to Signature Rules # 32041 and 32042,  i then disabled both rules and then i could now manually start back my Snort Service. its now happily running again

    Snort was running fine for months, i'm assuming a bad update came in last night an something was wrong with the rules and it was that was preventing Snort from starting.

    Maybe someone who is well advanced with snort can have a look on the rules again to see if there is any errors with the signature/updates.. I Really hope I'm not alone with this issue.

    Error Log

    Sep 30 09:59:30 SnortStartup[10764]: Snort START for ISP1 INTERNET(64427_em0)…
    Sep 30 09:59:31 snort[10867]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_64427_em0/rules/snort.rules(998) Unknown rule option: 'sip_header'.
    Sep 30 09:59:33 SnortStartup[11480]: Snort START for MY LAN(46633_re0)…
    Sep 30 09:59:33 snort[11578]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_46633_re0/rules/snort.rules(998) Unknown rule option: 'sip_header'.
    Sep 30 09:59:35 SnortStartup[12580]: Snort START for ISP2INTERNET (52789_rl0)…
    Sep 30 09:59:35 snort[12729]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_52789_rl0/rules/snort.rules(998) Unknown rule option: 'sip_header'.



  • @humps:

    I came in at work this morning and notice that the Snort Service was NOT running,  i tried to manually start it back but that did not work so i went into Status –> System Logs  to check whats happening. the following logs below is what i saw (see log below at end of post).

    I SSH into my Pfsense box and searched the "snort.rules" file to find the misbehaving rules i managed to narrow it down to Signature Rules # 32041 and 32042,  i then disabled both rules and then i could now manually start back my Snort Service. its now happily running again

    Snort was running fine for months, i'm assuming a bad update came in last night an something was wrong with the rules and it was that was preventing Snort from starting.

    Maybe someone who is well advanced with snort can have a look on the rules again to see if there is any errors with the signature/updates.. I Really hope I'm not alone with this issue.

    Error Log

    Sep 30 09:59:30 SnortStartup[10764]: Snort START for ISP1 INTERNET(64427_em0)…
    Sep 30 09:59:31 snort[10867]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_64427_em0/rules/snort.rules(998) Unknown rule option: 'sip_header'.
    Sep 30 09:59:33 SnortStartup[11480]: Snort START for MY LAN(46633_re0)…
    Sep 30 09:59:33 snort[11578]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_46633_re0/rules/snort.rules(998) Unknown rule option: 'sip_header'.
    Sep 30 09:59:35 SnortStartup[12580]: Snort START for ISP2INTERNET (52789_rl0)…
    Sep 30 09:59:35 snort[12729]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_52789_rl0/rules/snort.rules(998) Unknown rule option: 'sip_header'.

    Generally speaking, anytime you see an "Unknown rule option" error, that indicates one of two things.  Either a required preprocessor is disabled, or the rule is written for another Snort version that supports the rule option in question.

    In this case I'm betting it's a disabled preprocessor.  Do you have the SIP Preprocessor enabled on the PREPROCESSORS tab?

    If I am correct and you had the SIP Preprocessor disabled, please go sit in the corner and put yourself in timeout for at least 30 minutes…  ;)

    OK, kidding on the timeout part, but for others reading this thread let me say this again for the thousandth time -- DO NOT DISABLE ANY PREPROCESSORS!!!  That is a surefire way to kill Snort at some point when a rules update occurs and some formerly disabled rule gets enabled, or a new rule is created by the rule authors.  Rules and the preprocessors are locked together at the hip.  They depend on each other.  And if a preprocessor is disabled, but all the dependent rules are not also disabled, then you will get fatal startup errors.  That's because of the inter-dependency between the preprocessors and the rules they support.  The preprocessor code is what interprets and takes the appropriate action for all the rule keywords and options, so if the preprocessor is disabled, then so is all the code within Snort that understands those rule options and keywords.  When that code is disabled, then you get the fatal startup errors.

    You gain pretty much nothing by disabling preprocessors, so DO NOT DO IT!

    Sorry for the rant, and this rant is not aimed at the OP, but it's just frustrating to see posts regularly from folks with these kinds of errors caused by not following the recommendations.

    Bill



  • @bmeeks:

    @humps:

    I came in at work this morning and notice that the Snort Service was NOT running,  i tried to manually start it back but that did not work so i went into Status –> System Logs  to check whats happening. the following logs below is what i saw (see log below at end of post).

    I SSH into my Pfsense box and searched the "snort.rules" file to find the misbehaving rules i managed to narrow it down to Signature Rules # 32041 and 32042,  i then disabled both rules and then i could now manually start back my Snort Service. its now happily running again

    Snort was running fine for months, i'm assuming a bad update came in last night an something was wrong with the rules and it was that was preventing Snort from starting.

    Maybe someone who is well advanced with snort can have a look on the rules again to see if there is any errors with the signature/updates.. I Really hope I'm not alone with this issue.

    Error Log

    Sep 30 09:59:30 SnortStartup[10764]: Snort START for ISP1 INTERNET(64427_em0)…
    Sep 30 09:59:31 snort[10867]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_64427_em0/rules/snort.rules(998) Unknown rule option: 'sip_header'.
    Sep 30 09:59:33 SnortStartup[11480]: Snort START for MY LAN(46633_re0)…
    Sep 30 09:59:33 snort[11578]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_46633_re0/rules/snort.rules(998) Unknown rule option: 'sip_header'.
    Sep 30 09:59:35 SnortStartup[12580]: Snort START for ISP2INTERNET (52789_rl0)…
    Sep 30 09:59:35 snort[12729]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_52789_rl0/rules/snort.rules(998) Unknown rule option: 'sip_header'.

    Generally speaking, anytime you see an "Unknown rule option" error, that indicates one of two things.  Either a required preprocessor is disabled, or the rule is written for another Snort version that supports the rule option in question.

    In this case I'm betting it's a disabled preprocessor.  Do you have the SIP Preprocessor enabled on the PREPROCESSORS tab?

    If I am correct and you had the SIP Preprocessor disabled, please go sit in the corner and put yourself in timeout for at least 30 minutes…  ;)

    Bill

    BMeeks your a Genius!  ;)
    Oh YES the  SIP Preprocessor disabled :)
    I will enable it and follow up on the rest of your post tomorrow.

    One thing i would like to add is that sometimes when you update/upgrade Snort to new versions some new features are added and some of the default stuff comes unchecked (example SIP Preprocessor) most times i just leave them as is until i fully understand them before i apply any changes.

    Thanks much



  • @humps:

    BMeeks your a Genius!  ;)
    Oh YES the  SIP Preprocessor disabled :)
    I will enable it and follow up on the rest of your post tomorrow.

    One thing i would like to add is that sometimes when you update/upgrade Snort to new versions some new features are added and some of the default stuff comes unchecked (example SIP Preprocessor) most times i just leave them as is until i fully understand them before i apply any changes.

    Thanks much

    You are welcome, and as I said, the rant was not directed at you or anyone else in particular.  There just seems to have been a number of posts in the last few months similar to this where folks have disabled preprocessors without fully understanding the potential consequences.

    As for the SIP Preprocessor default settings, I think it has been default enabled for a while, but I need to check again and be doubly-sure.

    Bill



  • Meeks,

    How does the SIP preprocessor become disabled?



  • At first, enabling the SIP Detection works.  The daemon starts.  After awhile, it the daemon stops and SIP detection is disabled.

    Does this have anything to do with fact that the update, which occurred last night, failed?



  • Follow up/Update:

    OK I enabled the "SIP preprocessor" and noticed that "Enable IMAP Decoder" was also disabled (unchecked), the default says checked but it wasn't checked, this came through unchecked just as I had posted/reported earlier was the case with the "SIP Preprocessor". I enabled it as well.

    I  also went through all interfaces (LAN/WAN) and enabled signature no. 32041 & 32042 from the GPL Community Rules and Snort is working fine thus far, i will keep and eye on it and report back if I have any further issues.

    Thanks again 8)



  • My pfsense box snort was stopped service after automatic update of rules.
    php: : [Snort] The Rules update has finished.
    php: : [Snort] Building new sig-msg.map file for WLAN…
    php: : [Snort] Enabling any flowbit-required rules for: WLAN…
    php: : The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/local/etc/snort/snort_5815_em2/preproc_rules/sensitive-data.rules' returned exit code '1', the output was 'sed: /usr/local/etc/snort/snort_5815_em2/preproc_rules/sensitive-data.rules: No such file or directory'
    php: : [Snort] Updating rules configuration for: WLAN …
    php: : [Snort] Building new sig-msg.map file for WAN…
    php: : [Snort] Enabling any flowbit-required rules for: WAN…
    php: : [Snort] Updating rules configuration for: WAN …
    php: : [Snort] Emerging Threats Open rules file update downloaded successfully

    with the same error here with the same error log.

    snort[50695]: FATAL ERROR: /usr/local/etc/snort/snort_5815_em2/rules.snort.rule(961) Unknown rule option: 'sip_header'.

    I tried what bill said but after I enabled the SIP detection then by clicking save button error comes again.

    Fatal error: Call to undefined function get_interface_ipv6() in /usr/local/pkg/snort/snort.inc on line 368

    Please help. thank you.



  • @MilesDeep:

    At first, enabling the SIP Detection works.  The daemon starts.  After awhile, it the daemon stops and SIP detection is disabled.

    Does this have anything to do with fact that the update, which occurred last night, failed?

    No, a rules update will not disable nor enable a preprocessor.  I will check and be sure the default is enabled for future updates, but for now just look at the PREPROCESSORS tab and check all the preprocessors in the GENERAL section down towards the bottom of the page, then click SAVE.  You usually don't need the two SCADA preprocessors, but it hurts nothing to enable them as well.

    Bill


Log in to reply