Snort difficulties
-
The problem is that in the latest snort rules someone has added flow tracking to rules for udp etc which can't be done by this snort version
eg
alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version request"; flow:to_client; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:3;)Note the flow:to_client; bit
To fix it you need to find the offending line and remove the flow:to_client; bit
You are right the bit in brackets in the error is the line in the rules file with the offending rule on it eg (41). This is not rule num 41 as there is loads of licence junk on the top of the file.
To fix it I open the console then goto
#cd /usr/local/etc/snort/rules/then open it in the bsd ee editor eg for scan.rules
ee scan.rules
Thie ee editor gives you the line num you are on near the top like thisL: 41 C: 1 ====================================================================
you could use the WebGUI edit file section but you will have to count the lines
-
So how does this affect Snort as a whole for us?
I'm guessing the rules with this new (currently unsupported) parameter will simply go unparsed after it whines about it in logs. -
Nope if snort gets one of these rules it c**ps is self and dies on startup and won't go until you fix or remove the rule
-
Well shit.
Time for an update =\ -
Anyway to avoid this? Maybe someone has an older / fixed ruleset uploaded somewhere we could use?
Just re-installed (after an hdd failure) pfsense and I am now getting this too
-
I believe I have found the problem. The snort package is attempting to use the rules for the current version of snort. However, the packaged version is 2.6. There are compatible rule files for the older versions of snort (http://www.snort.org/pub-bin/downloads.cgi). I made the following changes and it seems to have corrected the problems with the rules.
Change /usr/local/www/snort_download_rules.php lines 182 and 183.
$snort_filename = "snortrules-snapshot-CURRENT{$premium_subscriber}.tar.gz";
$snort_filename_md5 = "snortrules-snapshot-CURRENT.tar.gz.md5";To
$snort_filename = "snortrules-snapshot-2.6{$premium_subscriber}.tar.gz";
$snort_filename_md5 = "snortrules-snapshot-2.6.tar.gz.md5";The best fix would probably be to update the snort package with the latest version of snort. However, this seems to allow the current version to work properly.
Jim L.
-
Definitely fixed it Hilozer, many thanks.
A Snort Package Update would be fantastic.
-
Fixed for me too, thanks a lot mate for the effort!
EDIT: weird thing here, now with a fresh install (on the same hdd/connection) snort uses more than 2x more cpu. Actually its hogging the hole machine. With the same settings (meaning ac-bnfa with the same rules) it didnt do this before. Wonder if its related to this ruleset or some other kind of bug.
My specs:
10mb/2.5mb dsl bridged to pfsense
PIII 866mhz
512mb sdram
3com 905 + rt8139
I know the rt8139 sucks, but it has been working fine for me since now.
I have an spare 905 card i could swap if it makes any differenceAny toughts?
…altough this is giving me an good excuse to upgrade this machine. pIII 866/512mb isnt that fast anyway.
-
I'm not seeing a problem with the latest ruleset. Snort was blocking 4 IPs at the time of this screenshot.
-
Change /usr/local/www/snort_download_rules.php lines 182 and 183.
$snort_filename = "snortrules-snapshot-CURRENT{$premium_subscriber}.tar.gz";
$snort_filename_md5 = "snortrules-snapshot-CURRENT.tar.gz.md5";To
$snort_filename = "snortrules-snapshot-2.6{$premium_subscriber}.tar.gz";
$snort_filename_md5 = "snortrules-snapshot-2.6.tar.gz.md5";The best fix would probably be to update the snort package with the latest version of snort. However, this seems to allow the current version to work properly.
It would be shame to fix it for manual updates only to have it replaced on the next auto-update. Therefore, there is another place to change as well:
/usr/local/pkg/snort_check_for_rule_updates.phpThe change is completely analogous to the quoted change and shouldn't need additional explanation.
Dave
