07-03-2014 10:20 AM - edited 02-21-2020 05:13 AM
After installing SEU 913, which includes Snort 2.9.5, the following symptoms may appear in a Sourcefire deployment:
Solved! Go to Solution.
07-03-2014 10:26 AM
In order to resolve this issue install SEU 915 or higher.
An issue has been identified with custom rules or Emerging Threat rules that can violate the Snort rule syntax. These rules can cause the Detection Engine to repeatedly restart. Sourcefire provided rules do not contain these syntax errors and will not cause this problem.
Snort does rule validation upon start up. With Snort 2.9.4, when a rule is determined invalid, then a warning is written to syslog. However, Snort will continue to load omitting that rule. The Snort delivered in SEU 913 generates an error for invalid rules instead of a warning, which prevents Snort from loading. With the release of SEU 915, we simply made Snort 2.9.5 behave the same way Snort 2.9.4 does, which is to display a warning for invalid rules, but continue to load.
Invalid third party rule syntax is still an issue as SEU 915 will not correct them. To make sure rules are valid you can simply open an IPS policy in the editor and save it, or manually apply the policy. You will be notified if there are any invalid rules active in that policy.
07-03-2014 10:26 AM
In order to resolve this issue install SEU 915 or higher.
An issue has been identified with custom rules or Emerging Threat rules that can violate the Snort rule syntax. These rules can cause the Detection Engine to repeatedly restart. Sourcefire provided rules do not contain these syntax errors and will not cause this problem.
Snort does rule validation upon start up. With Snort 2.9.4, when a rule is determined invalid, then a warning is written to syslog. However, Snort will continue to load omitting that rule. The Snort delivered in SEU 913 generates an error for invalid rules instead of a warning, which prevents Snort from loading. With the release of SEU 915, we simply made Snort 2.9.5 behave the same way Snort 2.9.4 does, which is to display a warning for invalid rules, but continue to load.
Invalid third party rule syntax is still an issue as SEU 915 will not correct them. To make sure rules are valid you can simply open an IPS policy in the editor and save it, or manually apply the policy. You will be notified if there are any invalid rules active in that policy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide