Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Cisco Employee

Snort 2.9.5 may generate an error if local rules are enabled

After installing SEU 913, which includes Snort 2.9.5, the following symptoms may appear in a Sourcefire deployment:

  •  The sensor may go down
  •  Unable to commit any changes to an IPS policy
  •  Health Alerts state that the IPS/IDS DE exited unexpectedly
Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

SolutionIn order to resolve

Solution

In order to resolve this issue install SEU 915 or higher.


Root Cause

An issue has been identified with custom rules or Emerging Threat rules that can violate the Snort rule syntax. These rules can cause the Detection Engine to repeatedly restart. Sourcefire provided rules do not contain these syntax errors and will not cause this problem.


Snort does rule validation upon start up.  With Snort 2.9.4, when a rule is determined invalid, then a warning is written to syslog. However, Snort will continue to load omitting that rule.  The Snort delivered in SEU 913 generates an error for invalid rules instead of a warning, which prevents Snort from loading.  With the release of SEU 915, we simply made Snort 2.9.5 behave the same way Snort 2.9.4 does, which is to display a warning for invalid rules, but continue to load.

 

Invalid third party rule syntax is still an issue as SEU 915 will not correct them.  To make sure rules are valid you can simply open an IPS policy in the editor and save it, or manually apply the policy.  You will be notified if there are any invalid rules active in that policy.

1 REPLY
Cisco Employee

SolutionIn order to resolve

Solution

In order to resolve this issue install SEU 915 or higher.


Root Cause

An issue has been identified with custom rules or Emerging Threat rules that can violate the Snort rule syntax. These rules can cause the Detection Engine to repeatedly restart. Sourcefire provided rules do not contain these syntax errors and will not cause this problem.


Snort does rule validation upon start up.  With Snort 2.9.4, when a rule is determined invalid, then a warning is written to syslog. However, Snort will continue to load omitting that rule.  The Snort delivered in SEU 913 generates an error for invalid rules instead of a warning, which prevents Snort from loading.  With the release of SEU 915, we simply made Snort 2.9.5 behave the same way Snort 2.9.4 does, which is to display a warning for invalid rules, but continue to load.

 

Invalid third party rule syntax is still an issue as SEU 915 will not correct them.  To make sure rules are valid you can simply open an IPS policy in the editor and save it, or manually apply the policy.  You will be notified if there are any invalid rules active in that policy.

366
Views
0
Helpful
1
Replies
CreatePlease to create content