New Snort Package - Issues & Suggested Fixes

kevross33

Hi,

First of all thanks for updating the package and the great job of providing this functionality.

For reference this is the Snort version installed:

,,_ -> Snort! <-
o" )~ Version 2.9.2.3 IPv6 GRE (Build 205) FreeBSD
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.3

It isn't updating the latest snort rules even with a subscription oinkcode. I am not sure where the pulledpork/oinkmaster configuration file is but I think you need to point it at the 2.9.2.3 rules. New rules and new rules files such as INDICATION_OBFUSCATION by VRT are not available.
Javascript deobfuscation (deobfuscation) should be enabled in the HTTP preprocessor. Not really an issue but something worth while doing as it helps to remove obfuscation layers on potential web client/malware type attacks: http://blog.snort.org/2012/01/snort-2920-javascript-normalization.html. It is just a normalize_javascript added to the HTTP preprocessor as shown in the previous blog yet the returns are so great.
ERROR: ByteExtract variable '^Authorization\x3A\s*Basic[ \t]+' in rule [3:13308] is used before it is defined.
Fatal Error, Quitting..

I don't even have this rule enabled yet it appears to be causing issues loading the shared object rules (in fact I have disabled all shared object rules: WEB-MISC Apache HTTP server auth_ldap logging function format string vulnerability

include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/emerging-current_events.rules
include $RULE_PATH/emerging-info.rules
include $RULE_PATH/emerging-malware.rules
include $RULE_PATH/emerging-netbios.rules
include $RULE_PATH/emerging-scan.rules
include $RULE_PATH/emerging-shellcode.rules
include $RULE_PATH/emerging-trojan.rules
include $RULE_PATH/emerging-user_agents.rules
include $RULE_PATH/emerging-web_client.rules
include $RULE_PATH/emerging-worm.rules
include $RULE_PATH/snort_attack-responses.rules
include $RULE_PATH/snort_backdoor.rules
include $RULE_PATH/snort_bad-traffic.rules
include $RULE_PATH/snort_blacklist.rules
include $RULE_PATH/snort_botnet-cnc.rules
include $RULE_PATH/snort_exploit.rules
include $RULE_PATH/snort_file-identify.rules
include $RULE_PATH/snort_netbios.rules
include $RULE_PATH/snort_rpc.rules
include $RULE_PATH/snort_rservices.rules
include $RULE_PATH/snort_specific-threats.rules
include $RULE_PATH/snort_spyware-put.rules
include $RULE_PATH/snort_web-activex.rules
include $RULE_PATH/snort_web-client.rules
include $RULE_PATH/snort_x11.rules

Thank you again for providing this pfsense package.

Kindest Regards,
Kevin Ross

Cino

for item 1, look at my post here if you dont mind changing some code:
http://forum.pfsense.org/index.php/topic,50313.msg268002.html#msg268002

i dont have a sub, so i can't download 2923 rules, only 2922; which produced the same error as your item 3

miles267

Is there a fix for #3 yet?

Cino

@miles267:

Is there a fix for #3 yet?

with latest re-install, it looks like it is

cjbujold

Getting following error with latest install of snort after i do a Rule update.

snort[15232]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_1267_em0//usr/local/etc/snort/snort_1267_em0/rules/snort_attack-responses.rules": No such file or directory.

Cjb

Cino

@cjbujold:

Getting following error with latest install of snort after i do a Rule update.

snort[15232]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_1267_em0//usr/local/etc/snort/snort_1267_em0/rules/snort_attack-responses.rules": No such file or directory.

Cjb

goto every page and click 'Save'…also make sure you check off every pre-processor

Gradius

@Cino:

goto every page and click 'Save'…also make sure you check off every pre-processor

Checking off pre-processor just kill the good use of Snort!

Besides is NOT the solution.

Cino

@Gradius:

@Cino:

goto every page and click 'Save'…also make sure you check off every pre-processor

Checking off pre-processor just kill the good use of Snort!

Besides is NOT the solution.

i didn't mean to turn off every pre-processor… check off, meaning to click on every check box...

miles267

The fun continues. Now an even newer snort package has been released: Stable 2.9.2.3 pkg v. 2.2 platform: 2.0. Not able to install due to barnyard2-1.9_2 failure. Please advise of resolution.

Beginning package installation for snort…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/8/All/barnyard2-1.9_2.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/barnyard2-1.9_2.tbz.
of barnyard2-1.9_2 failed!

Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for mysql-client-5.1.53...done.
Starting package deletion for barnyard2-1.9_2...done.
Starting package deletion for snort-2.9.2.3...done.
Starting package deletion for perl-threaded-5.12.4_4...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.

Installation halted.

Ibor Daru

Come on, what is happening with the various "failed to install" Snort packages lately… isn't there any debug and unit/system testing done before releasing it to the wild (we the end-users) with no return possibility to the previous version that was working?

I'm very sorry but even though it is a package it is not the least package. IMHO not good for the credibility of PFSense and almost an amateuristic way of working ....

sronsen

@Ibor:

Come on, what is happening with the various "failed to install" Snort packages lately… isn't there any debug and unit/system testing done before releasing it to the wild (we the end-users) with no return possibility to the previous version that was working?

I'm very sorry but even though it is a package it is not the least package. IMHO not good for the credibility of PFSense and almost an amateuristic way of working ....

. . .or a way to roll back to the last working package. Three days so far and no relief. Please just put the last working version back with the proper updates until this is all fixed. We all appreciate the voluntary contributions to the user community, but many of us have considerable $$$ invested in hardware and are dependent upon pfSense, Snort and other packages for our security.

asterix

Not sure why everything has to be changed in production packages and there is no dev/test environments for pfSense packages.
Considerable time and effort is wasted to troubleshoot and find out issue is with the package and not the user install and only to find out later that the package was changed/updated.

I appreciate the effort in providing voluntary help in developing packages.. but production environment is not the right place to update without testing the package with a good number of test users.

Also, why is there not a dedicated repository with 8.0, 8.1..etc compiled packages. Packages are referenced to FreeBSD sites rather than storing and referencing local pfsense repository. Anytime there is change at FreeBSD site pfSense packages get corrupted.

tritron

There is http://files.pfsense.org/packages/8/All/barnyard2 file so maybe we can work around the issue fetch http://files.pfsense.org/packages/8/All/barnyard2 mv barnyard2 barnyard2-1.9_2.tbz then pkg_add -r barnyard2-1.9_2.tbz
What if for i386 we use http://mirrors.syringanetworks.net/pub/FreeBSD/ports/i386/packages-stable/security/barnyard2-1.9_2.tbz
or http://mirrors.syringanetworks.net/pub/FreeBSD/ports/amd64/packages-stable/security/barnyard2-1.9_2.tbz for 64 bit

eri--

I added the javascript feature to the standard config option in newest snort.

For #1 i do not have an oink code so when its present it will get bumped to that version.

moe2006

Hi,

installing 2.9.2.3 pkg 2.2 worked after uninstalling and new installing the package on my system (with removing all settings).

But since the new version of snort is running on my network the are lots of (http_inspect) alerts… Is there any way to tune the preprocessor http_inspect without using suppression or turning http inspect off?
Trying to add code to "Advanced configuration pass through" to change the preprocessor settings just doesnt let the interface start. It tells me that I can't configure the global settings twice.

Thanks in advance...

miles267

@moe2006:

Hi,

installing 2.9.2.3 pkg 2.2 worked after deinstalling and new installing the package on my system (with removing all settings).

But since the new version of snort is running on my network the are lots of (http_inspect) alerts… Is there any way to tune the preprocessor http_inspect without using suppression or turning http inspect off?
Trying to add code to "Advanced configuration pass through" to change the preprocessor settings just doesnt let the interface start. It tells me that I can't configure the global settings twice.

Thanks in advance...

Moe, good find. Have you been able to resolve this? I too have encountered this same issue and have had no choice to add suppression rules for each HHTP inspect alert else SNORT fails to run for longer than a few minutes at a time. Since adding the suppress rules, it seems to stay running longer though fails at some point overnight and I must re-start. Have yet to pinpoint the cause.

Regardless, managing snort has become a painful process. If only there were a way within the UI to gracefully uninstall 2.9.2.3 pkg v. 2.2 and return to the last stable version.

Thanks.

digdug3

@miles267:

@moe2006:

Hi,

installing 2.9.2.3 pkg 2.2 worked after deinstalling and new installing the package on my system (with removing all settings).

But since the new version of snort is running on my network the are lots of (http_inspect) alerts… Is there any way to tune the preprocessor http_inspect without using suppression or turning http inspect off?
Trying to add code to "Advanced configuration pass through" to change the preprocessor settings just doesnt let the interface start. It tells me that I can't configure the global settings twice.

Thanks in advance...

Moe, good find. Have you been able to resolve this? I too have encountered this same issue and have had no choice to add suppression rules for each HHTP inspect alert else SNORT fails to run for longer than a few minutes at a time. Since adding the suppress rules, it seems to stay running longer though fails at some point overnight and I must re-start. Have yet to pinpoint the cause.

Regardless, managing snort has become a painful process. If only there were a way within the UI to gracefully uninstall 2.9.2.3 pkg v. 2.2 and return to the last stable version.

Thanks.

Have the same preprocessor issues (AMD64). By looking at them it looks like there is some kind of decoding issue. Did not have them on the previous stable build.
Just add these to your suppression list:

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

suppress gen_id 120, sig_id 3

(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED

suppress gen_id 120, sig_id 6

(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE

suppress gen_id 120, sig_id 8

(smtp) Base64 Decoding failed.

suppress gen_id 124, sig_id 10

(smtp) Quoted-Printable Decoding failed

suppress gen_id 124, sig_id 11

(smtp) 7bit/8bit/binary/text Extraction failed.

suppress gen_id 124, sig_id 12

moe2006

@digdug3:

@miles267:

@moe2006:

Hi,

installing 2.9.2.3 pkg 2.2 worked after deinstalling and new installing the package on my system (with removing all settings).

But since the new version of snort is running on my network the are lots of (http_inspect) alerts… Is there any way to tune the preprocessor http_inspect without using suppression or turning http inspect off?
Trying to add code to "Advanced configuration pass through" to change the preprocessor settings just doesnt let the interface start. It tells me that I can't configure the global settings twice.

Thanks in advance...

Moe, good find. Have you been able to resolve this? I too have encountered this same issue and have had no choice to add suppression rules for each HHTP inspect alert else SNORT fails to run for longer than a few minutes at a time. Since adding the suppress rules, it seems to stay running longer though fails at some point overnight and I must re-start. Have yet to pinpoint the cause.

Regardless, managing snort has become a painful process. If only there were a way within the UI to gracefully uninstall 2.9.2.3 pkg v. 2.2 and return to the last stable version.

Thanks.

Have the same preprocessor issues (AMD64). By looking at them it looks like there is some kind of decoding issue. Did not have them on the previous stable build.
Just add these to your suppression list:

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

suppress gen_id 120, sig_id 3

(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED

suppress gen_id 120, sig_id 6

(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE

suppress gen_id 120, sig_id 8

(smtp) Base64 Decoding failed.

suppress gen_id 124, sig_id 10

(smtp) Quoted-Printable Decoding failed

suppress gen_id 124, sig_id 11

(smtp) 7bit/8bit/binary/text Extraction failed.

suppress gen_id 124, sig_id 12

Okay, suppressing these alerts seems to fix the problem for a while, but you always risk to miss attacks which use these kind of decoding… Hope this will be fixed when the snort package team has finished the snort_dev tests.

Moreover, when starting snort I'm getting some of these messages never seen before:
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13790, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13790, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 15117, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 15117, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 18660, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 18660, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 17300, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 17300, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 16563, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 16563, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13802, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13802, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13975, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13975, GID: 3 not registered properly. Disabling this rule.
Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13879, GID: 3 not registered properly. Disabling this rule.

perhaps something is wrong with the encoding / decoding…

ronnieredd

I have the following in my suppress list and still getting the http_inspect alerts:


suppress gen_id 120, sig_id 3
suppress gen_id 120, sig_id 6
suppress gen_id 120, sig_id 8
suppress gen_id 124, sig_id 10
suppress gen_id 124, sig_id 11
suppress gen_id 124, sig_id 12
suppress gen_id 1, sig_id 2013054

Screenshot.png_thumb

Screenshot-1.png_thumb

humps