Snort throws errors and won't start



  • For no apparent reason the snort service will stop and fail when I try to restart it. Here's the error from the system log:

    Sep 15 22:17:20 php-fpm[83402]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 60889 -D -q –suppress-config-log -l /var/log/snort/snort_re060889 --pid-path /var/run --nolock-pidfile -G 60889 -c /usr/pbi/snort-amd64/etc/snort/snort_60889_re0/snort.conf -i re0' returned exit code '1', the output was ''
    Sep 15 22:17:20 snort[95180]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_60889_re0/rules/snort.rules(427) Unknown rule option: 'sd_pattern'.
    Sep 15 22:17:20 php-fpm[83402]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(re0)…
    Sep 15 22:17:18 php-fpm[83402]: /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN…
    Sep 15 22:17:18 php-fpm[83402]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Sep 15 22:17:13 php-fpm[83402]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    Sep 15 22:17:13 php-fpm[83402]: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(re0)…

    Can anyone fill me in on what's going on here?

    Thanks,
    Jon



  • You have a rule enabled that uses the sensitive data preprocessor, which you have disabled (it's disabled by default). You can either disable that rule by hand or enable option "Auto-disable text rules dependent on disabled preprocessors for this interface."



  • Thanks fragged,

    I enabled the "Auto-disable…" and was able to successfully restart Snort. If I knew what rule was causing the problem I'd disable it but the log output is all Greek to me  ???

    I'll run with it but I'm confident your fix will work.

    Jn



  • Look in /var/log/snort and then the subdirectory for the interface.  You will should see a file in there showing you which rules got "auto-disabled" due to missing preprocessor dependencies.

    You should not be hitting this error unless you have done something funny with your rules (like enabling some default-disabled rules pertaining to sensitive data).

    Bill