Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort throws errors and won't start

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JSmoradaJ
      JSmorada
      last edited by

      For no apparent reason the snort service will stop and fail when I try to restart it. Here's the error from the system log:

      Sep 15 22:17:20 php-fpm[83402]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 60889 -D -q –suppress-config-log -l /var/log/snort/snort_re060889 --pid-path /var/run --nolock-pidfile -G 60889 -c /usr/pbi/snort-amd64/etc/snort/snort_60889_re0/snort.conf -i re0' returned exit code '1', the output was ''
      Sep 15 22:17:20 snort[95180]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_60889_re0/rules/snort.rules(427) Unknown rule option: 'sd_pattern'.
      Sep 15 22:17:20 php-fpm[83402]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(re0)…
      Sep 15 22:17:18 php-fpm[83402]: /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN…
      Sep 15 22:17:18 php-fpm[83402]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
      Sep 15 22:17:13 php-fpm[83402]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
      Sep 15 22:17:13 php-fpm[83402]: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(re0)…

      Can anyone fill me in on what's going on here?

      Thanks,
      Jon

      1 Reply Last reply Reply Quote 0
      • F
        fragged
        last edited by

        You have a rule enabled that uses the sensitive data preprocessor, which you have disabled (it's disabled by default). You can either disable that rule by hand or enable option "Auto-disable text rules dependent on disabled preprocessors for this interface."

        1 Reply Last reply Reply Quote 0
        • JSmoradaJ
          JSmorada
          last edited by

          Thanks fragged,

          I enabled the "Auto-disable…" and was able to successfully restart Snort. If I knew what rule was causing the problem I'd disable it but the log output is all Greek to me  ???

          I'll run with it but I'm confident your fix will work.

          Jn

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Look in /var/log/snort and then the subdirectory for the interface.  You will should see a file in there showing you which rules got "auto-disabled" due to missing preprocessor dependencies.

            You should not be hitting this error unless you have done something funny with your rules (like enabling some default-disabled rules pertaining to sensitive data).

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.