Host Attribute Table
-
I just tried config max_attribute_hosts: 100 added to the Ubuntu installation and there was no error with less than 32 hosts. I will open that request. Thanks for the help
Bill -
I have been troubleshooting this in debug mode for nearly a full day and still am coming up empty-handed in terms of finding the problem. The XML file is correct, but the parser within Snort thinks something is wrong.
Debugging is darn near impossible because the actual XML file parsing is done via a nested set of flex/yacc scripts that are used during compile time to produce C source and header files that then get compiled into the Snort executable. I can only trace the function execution a few steps and then lose it within all the unintentional obfuscation created by the nested flex/yacc scripts.
It keeps failing with the error message "... check the grammar around line 0 (<tag SNORT_ATTRIBUTES>) ..." and then gives the filename. However, the file validates just fine against the DTD file included with the Snort source code. I've searched for hidden characters within the file, tested with and without DOS line endings versus Linux line endings, and still have come up with nothing to identify the real issue.
I am going to put this bug search on pause while I work on completing the new Inline IPS mode feature. When finished with that, I will come back to this bug.
-
I'm happy to report SUCCESS in finding this problem! Turns out it is the choice to use
yaccby the FreeBSD poudriere builder system instead ofbisonwhen compiling parts of the Snort binary. After some Google research, it seemsbisonis a newer program that implements the functionality of the olderyaccprogram.bisonis backwards compatible withyacc, but the opposite is not 100% true. The use ofyaccduring the pfSense Snort binary build produces some machine code that fails to properly read the host attributes XML file. When you compile Snort in a different environment,bisonis most likely to be the default token parser and so Snort works when importing a host attributes XML file.Look for this to be fixed in the upcoming release of Snort-2.9.13_1 on pfSense-2.5-DEVEL. We are forcing the Snort build on pfSense to use
bisoninstead of defaulting toyacc. I am also going to report this issue to the FreeBSD upstream port maintainer for Snort. -
That is great! Thank you for your efforts to address this. As I have a "production" system I will wait for the stable release.
Thanks again
Bill
-
@cTar said in Host Attribute Table:
That is great! Thank you for your efforts to address this. As I have a "production" system I will wait for the stable release.
Thanks again
Bill
Actually, the FreeBSD Ports maintainer incorporated my fix into the official release, so the pfSense team pulled that change into pfSense-2.4.4-RELEASE this morning. You should see an update for your Snort package in pfSense to version 3.2.9.8_6. That will install Snort binary version 2.9.12_2 which includes the Host Attribute Table fix. Test it and let me know how it works. My testing on pfSense-2.5 was successful.
-
I can confirm it is working on 2.4.4-RELEASE-p3 (amd64) with the latest Snort package,
Thanks again!
-
@cTar -- Good deal. Thanks for the feedback confirmation!
