Snort mailing list archives
Re: Snort Failing While Reading Rules File
From: "Patrick Mullen \(pamullen\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 3 Oct 2019 03:54:39 +0000
Jim, What external ruleset(s) are you running? We shouldn't be publishing any rules using threshold for a very long time. What is the content of the rule on line 2478, the one throwing the error "/etc/snort/rules/snort.rules(2478) Flowbits: Invalid token noreject"? Unfortunately, I'm going on vacation until Monday, but what I can tell you is that recently we enabled a bunch of preprocessor alerts in the max detect policy, which is probably why you are seeing new alerts there. I don't know what the two alerts you apparently narrowed your problems down to (120:7 and 129:5) but I suspect it's a bit of a red herring given those other errors and warnings you mentioned, which is why I'm trying to get a better idea of your environment. Thanks, Patrick From: Jim Campbell via Snort-users <snort-users () lists snort org> Date: October 2, 2019 at 20:41:10 EDT To: Snort-users <snort-users () lists snort org> Subject: [Snort-users] Snort Failing While Reading Rules File Reply-To: Jim Campbell <jim () w4bqp net> I'm running Snort inline as an IPS system. I upgraded Snort to 2.9.14.1 just over a week ago. Once it was running, with the same disablesid.conf I was using before the update I began receiving a lot of alerts that I hadn't been receiving before. The sids were 120:5, 120:7, 120:8, 129:5, 129:18, 129:20 and 142:2. I gradually began adding the sids giving the most alerts to the disablesid.conf file. Each time I update the disablesid.conf file I run pulledpork and restart snort. This morning I added 120:7 and 129:5 to the disablesid.conf file. Snort was running just fine until I updated my rules file. After the update I restarted Snort as I usually do. While reading the rules file snort failed. Here are the messages I received: WARNING: /etc/snort/rules/snort.rules(756) threshold (in rule) is depreciated; use detection_filter instead. ERROR: /etc/snort/rules/snort.rules(2478) Flowbits: Invalid token noreject. I realize the first message isn't an error, I just included it for context. I commented out this rule and restarted Snort. I received an error on a different pair of rules. Commented out that pair of rules, same results. I downloaded the rules again, same results. After some experimenting I learned that if I remove sids 120:7 and 129:5 from the disablesid.conf file, re-run pulledpork and restart snort it no longer fails. Jim Campbell _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort Failing While Reading Rules File Jim Campbell via Snort-users (Oct 02)
- Message not available
- Re: Snort Failing While Reading Rules File Patrick Mullen (pamullen) via Snort-users (Oct 02)
- Re: Snort Failing While Reading Rules File Jim Campbell via Snort-users (Oct 03)
- Re: Snort Failing While Reading Rules File Patrick Mullen (pamullen) via Snort-users (Oct 03)
- Re: Snort Failing While Reading Rules File Patrick Mullen (pamullen) via Snort-users (Oct 02)
- Message not available