Snort Custom Alerts

NogBadTheBad

I've been trying to set up custom alerts on my DMZ interface, anyone done anything similar ?

I've done the following for testing at the moment :-

Go into the DMZ interface under Snort.
Edit DMZ Rules
Category Selection and select custom rules.
Added "alert icmp any any -> any any (msg:"ICMP Packet found";sid:1000001;rev:1)"
Saved then restarted snort on the DMZ interface.

It appears to be running fine till the first ICMP when snort exits with a signal 11.

Aug 9 17:10:57 kernel pid 79865 (snort), uid 0: exited on signal 11
Aug 9 17:10:56 barnyard2 54735 Waiting for new data
Aug 9 17:10:56 barnyard2 54735 Opened spool file '/var/log/snort/snort_igb0_vlan518233/snort_18233_igb0_vlan5.u2.1502295056'
Aug 9 17:10:56 barnyard2 54735 Closing spool file '/var/log/snort/snort_igb0_vlan518233/snort_18233_igb0_vlan5.u2.1502294696'. Read 0 records
Aug 9 17:10:27 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Snort START for DMZ(igb0_vlan5)…
Aug 9 17:10:27 php-fpm 9124 /snort/snort_interfaces.php: Starting Snort on DMZ(igb0_vlan5) per user request...
Aug 9 17:10:24 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for VOICE…
Aug 9 17:10:22 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: VOICE…
Aug 9 17:10:09 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: VOICE …
Aug 9 17:10:06 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for DMZ…
Aug 9 17:10:04 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: DMZ…
Aug 9 17:09:51 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: DMZ …
Aug 9 17:09:48 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for IOT…
Aug 9 17:09:46 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: IOT…
Aug 9 17:09:32 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: IOT …
Aug 9 17:09:29 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for GUEST…
Aug 9 17:09:27 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: GUEST…
Aug 9 17:09:14 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: GUEST …
Aug 9 17:09:11 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for USER…
Aug 9 17:09:09 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: USER…
Aug 9 17:08:56 php-fpm 9124 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: USER …
Aug 9 17:06:12 php-fpm 30733 /snort/snort_rules.php: [Snort] Building new sid-msg.map file for DMZ…
Aug 9 17:06:10 php-fpm 30733 /snort/snort_rules.php: [Snort] Enabling any flowbit-required rules for: DMZ…
Aug 9 17:05:57 php-fpm 30733 /snort/snort_rules.php: [Snort] Updating rules configuration for: DMZ …

bmeeks

You are missing the CLASSIFICATION field in your rule. I think due to some custom patches applied in the distant past to the CSV logging code in the Snort binary, certain missing fields in rule signatures cause NULL pointer issues and subsequent crashes. I thought I had fixed those, but perhaps some bugs still survive. I did not write that original code, but have been maintaining it for about three years.

I have this report along with some others to look at that all seem related to the same core issue. I will look into it for the next Snort update.

Bill

NogBadTheBad

Thanks Bill, its working a treat now :)

alert icmp any any -> any any (msg:"ICMP Packet found";sid:1000001;rev:1;classtype:icmp-event)

Untitled.png_thumb