Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
925
Views
0
Helpful
1
Replies

Snort 2.9.5 may generate an error if local rules are enabled

Go to solution
Nazmul Rajib
Cisco Employee
Cisco Employee

‎07-03-2014 10:20 AM - edited ‎02-21-2020 05:13 AM

After installing SEU 913, which includes Snort 2.9.5, the following symptoms may appear in a Sourcefire deployment:

  •  The sensor may go down
  •  Unable to commit any changes to an IPS policy
  •  Health Alerts state that the IPS/IDS DE exited unexpectedly
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nazmul Rajib
Cisco Employee
Cisco Employee

‎07-03-2014 10:26 AM

Solution

In order to resolve this issue install SEU 915 or higher.


Root Cause

An issue has been identified with custom rules or Emerging Threat rules that can violate the Snort rule syntax. These rules can cause the Detection Engine to repeatedly restart. Sourcefire provided rules do not contain these syntax errors and will not cause this problem.


Snort does rule validation upon start up.  With Snort 2.9.4, when a rule is determined invalid, then a warning is written to syslog. However, Snort will continue to load omitting that rule.  The Snort delivered in SEU 913 generates an error for invalid rules instead of a warning, which prevents Snort from loading.  With the release of SEU 915, we simply made Snort 2.9.5 behave the same way Snort 2.9.4 does, which is to display a warning for invalid rules, but continue to load.

 

Invalid third party rule syntax is still an issue as SEU 915 will not correct them.  To make sure rules are valid you can simply open an IPS policy in the editor and save it, or manually apply the policy.  You will be notified if there are any invalid rules active in that policy.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Nazmul Rajib
Cisco Employee
Cisco Employee

‎07-03-2014 10:26 AM

Solution

In order to resolve this issue install SEU 915 or higher.


Root Cause

An issue has been identified with custom rules or Emerging Threat rules that can violate the Snort rule syntax. These rules can cause the Detection Engine to repeatedly restart. Sourcefire provided rules do not contain these syntax errors and will not cause this problem.


Snort does rule validation upon start up.  With Snort 2.9.4, when a rule is determined invalid, then a warning is written to syslog. However, Snort will continue to load omitting that rule.  The Snort delivered in SEU 913 generates an error for invalid rules instead of a warning, which prevents Snort from loading.  With the release of SEU 915, we simply made Snort 2.9.5 behave the same way Snort 2.9.4 does, which is to display a warning for invalid rules, but continue to load.

 

Invalid third party rule syntax is still an issue as SEU 915 will not correct them.  To make sure rules are valid you can simply open an IPS policy in the editor and save it, or manually apply the policy.  You will be notified if there are any invalid rules active in that policy.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card