https://community.cisco.com/t5/network-security/snort-2-9-5-may-generate-an-error-if-local-rules-are-enabled/m-p/2554263#M925685 <H4><STRONG>Solution</STRONG></H4><P>In order to resolve this issue install SEU 915 or higher.</P><H4><BR /><STRONG>Root Cause</STRONG></H4><P>An issue has been identified with custom rules or Emerging Threat rules that can violate the Snort rule syntax. These rules can cause the Detection Engine to repeatedly restart. Sourcefire provided rules do not contain these syntax errors and will not cause this problem.</P><P><BR />Snort does rule validation upon start up.&nbsp; With Snort 2.9.4, when a rule is determined invalid, then a warning is written to syslog. However, Snort will continue to load omitting that rule.&nbsp; The Snort delivered in SEU 913 generates an error for invalid rules instead of a warning, which prevents Snort from loading.&nbsp; With the release of SEU 915, we simply made Snort 2.9.5 behave the same way Snort 2.9.4 does, which is to display a warning for invalid rules, but continue to load.</P><P>&nbsp;</P><P>Invalid third party rule syntax is still an issue as SEU 915 will not correct them.&nbsp; To make sure rules are valid you can simply open an IPS policy in the editor and save it, or manually apply the policy.&nbsp; You will be notified if there are any invalid rules active in that policy.</P> Thu, 03 Jul 2014 17:26:15 GMT Nazmul Rajib 2014-07-03T17:26:15Z https://community.cisco.com/t5/network-security/snort-2-9-5-may-generate-an-error-if-local-rules-are-enabled/m-p/2554262#M925684 <P>After installing SEU 913, which includes Snort 2.9.5, the following symptoms may appear in a Sourcefire deployment:</P><UL><LI>&nbsp;The sensor may go down</LI><LI>&nbsp;Unable to commit any changes to an IPS policy</LI><LI>&nbsp;Health Alerts state that the IPS/IDS DE exited unexpectedly</LI></UL> Fri, 21 Feb 2020 13:13:50 GMT https://community.cisco.com/t5/network-security/snort-2-9-5-may-generate-an-error-if-local-rules-are-enabled/m-p/2554262#M925684 Nazmul Rajib 2020-02-21T13:13:50Z https://community.cisco.com/t5/network-security/snort-2-9-5-may-generate-an-error-if-local-rules-are-enabled/m-p/2554263#M925685 <H4><STRONG>Solution</STRONG></H4><P>In order to resolve this issue install SEU 915 or higher.</P><H4><BR /><STRONG>Root Cause</STRONG></H4><P>An issue has been identified with custom rules or Emerging Threat rules that can violate the Snort rule syntax. These rules can cause the Detection Engine to repeatedly restart. Sourcefire provided rules do not contain these syntax errors and will not cause this problem.</P><P><BR />Snort does rule validation upon start up.&nbsp; With Snort 2.9.4, when a rule is determined invalid, then a warning is written to syslog. However, Snort will continue to load omitting that rule.&nbsp; The Snort delivered in SEU 913 generates an error for invalid rules instead of a warning, which prevents Snort from loading.&nbsp; With the release of SEU 915, we simply made Snort 2.9.5 behave the same way Snort 2.9.4 does, which is to display a warning for invalid rules, but continue to load.</P><P>&nbsp;</P><P>Invalid third party rule syntax is still an issue as SEU 915 will not correct them.&nbsp; To make sure rules are valid you can simply open an IPS policy in the editor and save it, or manually apply the policy.&nbsp; You will be notified if there are any invalid rules active in that policy.</P> Thu, 03 Jul 2014 17:26:15 GMT https://community.cisco.com/t5/network-security/snort-2-9-5-may-generate-an-error-if-local-rules-are-enabled/m-p/2554263#M925685 Nazmul Rajib 2014-07-03T17:26:15Z