Snort GUI misleading v- 2.2
-
Started Snort in V2.2 and gui is misleading on the Dashboard it shows as if Snort is running yet when you go to the snort page it says it is not running. Which GUI are we supposed to trust?
When I check the log I see the following error
snort[12196]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_59307_gif0/rules/snort.rules(11816) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o
How do I fix?
-
Started Snort in V2.2 and gui is misleading on the Dashboard it shows as if Snort is running yet when you go to the snort page it says it is not running. Which GUI are we supposed to trust?
When I check the log I see the following error
snort[12196]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_59307_gif0/rules/snort.rules(11816) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o
How do I fix?
I'm guessing you have Snort running on multiple interfaces. I see at least two in the screenshots posted. The SERVICES applet on the dashboard simply does a "pgrep snort" to see if any Snort process is running. It can be fooled on multiple interface machines if at least one interface is up even if all the others are down. The other possibility is that you have a zombie Snort process out there. If the two Snort interfaces in your screenshot are all you have configured, then run this command from the firewall command line to see any Snort processes, then kill all the Snort PIDs displayed:
ps -ax | grep snort
As for your system log error, that means one of the rules you have enabled is corrupt (actually it is formatted with incorrect syntax). There is one of the Emerging Threats rules that has been this way for more than a year, and folks have been unsuccessful in getting if fixed. Just disable that rule. You can find its full text and SID by opening the file /usr/pbi/snort-amd64/etc/snort/snort_59307_gif0/rules/snort.rules and going to line 11816.
Bill
-
Thanks that worked perfectly.
cjb