Snort | Unknown rule option: 'stream_size'.



  • i have upgraded my pfsense  after that i am getting this error in snort

    ul 29 12:49:18 syslogd: kernel boot file is /boot/kernel/kernel
    Jul 29 12:49:32 php-fpm[55362]: /snort/snort_interfaces.php: Toggle (snort starting) for  Interface name
    Jul 29 12:49:32 php-fpm[55362]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: Interface name …
    Jul 29 12:49:36 php-fpm[55362]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for:Interface name…
    Jul 29 12:49:36 php-fpm[55362]: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for Interface name…
    Jul 29 12:49:37 php-fpm[55362]: /snort/snort_interfaces.php: [Snort] Snort START for Interface name(dc1)…
    Jul 29 12:49:40 snort[94580]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_9528_dc1/rules/snort.rules(17924) Unknown rule option: 'stream_size'.
    Jul 29 12:49:40 php-fpm[55362]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 9528 -D -q –suppress-config-log -l /var/log/snort/snort_dc19528 --pid-path /var/run --nolock-pidfile -G 9528 -c /usr/pbi/snort-amd64/etc/snort/snort_9528_dc1/snort.conf -i dc1' returned exit code '1', the output was ''



  • You most likely have a required preprocessor disabled.  Make sure the STREAM5 preprocessor is enabled on the PREPROCESSORS tab.  In fact, users should really never disable any of the default-enabled preprocessors unless they are very highly skilled with the operation of Snort.

    Bill