Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Failing While Reading Rules File

From: "Patrick Mullen \(pamullen\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 3 Oct 2019 03:54:39 +0000
Jim,

What external ruleset(s) are you running? We shouldn't be publishing any rules using threshold for a very long time.

What is the content of the rule on line 2478, the one throwing the error "/etc/snort/rules/snort.rules(2478) Flowbits: 
Invalid token noreject"?

Unfortunately, I'm going on vacation until Monday, but what I can tell you is that recently we enabled a bunch of 
preprocessor alerts in the max detect policy, which is probably why you are seeing new alerts there. I don't know what 
the two alerts you apparently narrowed your problems down to (120:7 and 129:5) but I suspect it's a bit of a red 
herring given those other errors and warnings you mentioned, which is why I'm trying to get a better idea of your 
environment.


Thanks,

Patrick


From: Jim Campbell via Snort-users <snort-users () lists snort org>
Date: October 2, 2019 at 20:41:10 EDT
To: Snort-users <snort-users () lists snort org>
Subject: [Snort-users] Snort Failing While Reading Rules File
Reply-To: Jim Campbell <jim () w4bqp net>

I'm running Snort inline as an IPS system.

I upgraded Snort to 2.9.14.1 just over a week ago. Once it was running, with the same disablesid.conf I was using 
before the update I began receiving a lot of alerts that I hadn't been receiving before. The sids were 120:5, 120:7, 
120:8, 129:5, 129:18, 129:20 and 142:2.

I gradually began adding the sids giving the most alerts to the disablesid.conf file. Each time I update the 
disablesid.conf file I run pulledpork and restart snort.

This morning I added 120:7 and 129:5 to the disablesid.conf file.

Snort was running just fine until I updated my rules file. After the update I restarted Snort as I usually do. While 
reading the rules file snort failed. Here are the messages I received:

WARNING: /etc/snort/rules/snort.rules(756) threshold (in rule) is depreciated; use detection_filter instead.
ERROR: /etc/snort/rules/snort.rules(2478) Flowbits: Invalid token noreject.

I realize the first message isn't an error, I just included it for context.

I commented out this rule and restarted Snort. I received an error on a different pair of rules. Commented out that 
pair of rules, same results.

I downloaded the rules again, same results.

After some experimenting I learned that if I remove sids 120:7 and 129:5 from the disablesid.conf file, re-run 
pulledpork and restart snort it no longer fails.

Jim Campbell

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

   To unsubscribe, send an email to:
   snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: