Snort Rule Fatal Error

kiekar

Hello,

I just recently installed Snort 2.9.7.0 pkg v3.2.3 on a new pfSense 2.2 installation. I'm having problems keeping the service running. I'm able to start the service but it will stop shortly afterward.

I viewed the system logs and found a Snort Fatal Error:

snort[15869]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_16846_rl0/rules/snort.rules(9632) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o.

I used file manager to open the file and locate the row causing the error but I'm not sure where to place the open brace as I can't find \o for row 9632. Can someone indicate were I must place the open bracket. Your help would be much appreciated.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+ /si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)

BBcan177

Hi kiekar,

I think this is the same rule that has been crashing for several users… Its been an issue for awhile now... See the following thread:

https://forum.pfsense.org/index.php?topic=74930.10;

So its best to just disable it for now...

kiekar

Thanks BBcan177, I'll disable the rule.