[RESOLVED] Snort OpenappID Rules - Syntax errors



  • Anyone know who the "volunteer maintainer" is for the file hosted at http://files.pfsense.org/openappid/appid_rules.tar.gz??

    There are syntax errors in the rules (missing the closing ")" on several rules) which causes snort to fail to start until you manually chase down each one. I did the work identify and disable the troublesome rules so I could use the rest and so will share the details below on what rules to disable and what categories they belong to to save you guys some time until this is fixed.

    The error produced is FATAL ERROR: /usr/local/etc/snort/snort_{0}_igb{0}/rules/snort.rules({0}) Rule options must be enclosed in '(' and ')'.

    file_storage.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"scribd_upload";flow:from_client;appid:scribd_upload; sid:71443 ; classtype:misc-activity; rev:1
    ads.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"inskin_media";flow:from_client;appid:inskin_media; sid:71780 ; classtype:misc-activity; rev:1;
    network_protocol.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"cisco_sysmaint";flow:from_client;appid:cisco_sysmaint; sid:70052 ; classtype:misc-activity; rev:1;
    social_networking.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"networker";flow:from_client;appid:networker; sid:71392 ; classtype:misc-activity; rev:1;
    social_networking.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"sway";flow:from_client;appid:sway; sid:72795 ; classtype:misc-activity; rev:1;
    streaming_media.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"crackle";flow:from_client;appid:crackle; sid:70785 ; classtype:misc-activity; rev:1;
    webbrowser.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"epiphany";flow:from_client;appid:epiphany; sid:71186 ; classtype:misc-activity; rev:1;
    web_services.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ensighten";flow:from_client;appid:ensighten; sid:71488 ; classtype:misc-activity; rev:1;

    If someone knows where to file bug reports specifically for this hosted ruleset please let me know so they can be made aware and fix the errors.

    As a side note, volunteer maintainer or not (often the case with open source projects), if you are going to take ownership of something you should probably test it on your own system at least one time before you post updates for the whole community. This was one simple test away from preventing a bug in the "wild"; just check all the categories and reload snort and see if it actually loads if you don't have time to do anything more robust…

    Thanks



  • @onyxfire:

    Anyone know who the "volunteer maintainer" is for the file hosted at http://files.pfsense.org/openappid/appid_rules.tar.gz??

    There are syntax errors in the rules (missing the closing ")" on several rules) which causes snort to fail to start until you manually chase down each one. I did the work identify and disable the troublesome rules so I could use the rest and so will share the details below on what rules to disable and what categories they belong to to save you guys some time until this is fixed.

    The error produced is FATAL ERROR: /usr/local/etc/snort/snort_{0}_igb{0}/rules/snort.rules({0}) Rule options must be enclosed in '(' and ')'.

    file_storage.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"scribd_upload";flow:from_client;appid:scribd_upload; sid:71443 ; classtype:misc-activity; rev:1
    ads.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"inskin_media";flow:from_client;appid:inskin_media; sid:71780 ; classtype:misc-activity; rev:1;
    network_protocol.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"cisco_sysmaint";flow:from_client;appid:cisco_sysmaint; sid:70052 ; classtype:misc-activity; rev:1;
    social_networking.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"networker";flow:from_client;appid:networker; sid:71392 ; classtype:misc-activity; rev:1;
    social_networking.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"sway";flow:from_client;appid:sway; sid:72795 ; classtype:misc-activity; rev:1;
    streaming_media.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"crackle";flow:from_client;appid:crackle; sid:70785 ; classtype:misc-activity; rev:1;
    webbrowser.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"epiphany";flow:from_client;appid:epiphany; sid:71186 ; classtype:misc-activity; rev:1;
    web_services.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ensighten";flow:from_client;appid:ensighten; sid:71488 ; classtype:misc-activity; rev:1;

    If someone knows where to file bug reports specifically for this hosted ruleset please let me know so they can be made aware and fix the errors.

    As a side note, volunteer maintainer or not (often the case with open source projects), if you are going to take ownership of something you should probably test it on your own system at least one time before you post updates for the whole community. This was one simple test away from preventing a bug in the "wild"; just check all the categories and reload snort and see if it actually loads if you don't have time to do anything more robust…

    Thanks

    Agree with you.  I do know the OpenAppID rules were updated yesterday.  The pfSense team has contact with the developer.  Maybe they can get them fixed.

    My other sore point with Snort is the binary will complain and die when encountering bad rule syntax.  Suricata, on the other hand, will flag the error and then ignore the offending rule and continue loading.  Snort needs to do that.

    Just in case folks are confused, the issues discussed above are about the underlying Snort and Suricata binaries and not the GUI package you interact with on pfSense.  All the pfSense GUI package does is provide a pretty wrapper to help you create the Snort or Suricata config files the underlying binary uses to actually do the work.

    Bill



  • Same problema as @onyxfire.

    As he sugested, these rules should be disabled, since if you manually edit them to add the missing ")" at the end of line your edited file will be erased on the scheduled updates and snort will be disabled again.  :'(



  • I just disabled OpenAppID on my WAN interface and I am still getting the error…



  • Probably the rules are processed before the check if they must be applied to an interface, so you'll need to disable these rules or remove (not disable) OpennAppID



  • Today's update corrected the offending rules.



  • I received an email notice today about noon U.S. Eastern Time that the syntax problem was fixed and a solution was put in place to hopefully prevent it in the future.

    Bill



  • They did reply to my bug report that it was resolved as well. Was just able to test it today to confirm that it is indeed resolved. Thanks for the follow-up bmeeks