Snort intermittent Crash and snort Deamon stopped.
-
Need some help.
From time to time that Snort will eventually crash and notice that the Snort Deamon has stop.
Ive look thorough the System Log and such output from Snort.Dec 13 20:54:17 snort 44229 Could not initialize the ssl_host_group_366 client app element: [string ""]:63: bad argument #1 to 'ipairs' (table expected, got nil)
Dec 13 20:54:17 snort 44229 AppInfo: AppId 7338 is UNKNOWN
Dec 13 20:54:17 snort 44229 AppInfo: AppId 7338 is UNKNOWN
Dec 13 20:54:17 snort 44229 AppInfo: AppId 4655 is UNKNOWN
Dec 13 20:54:17 snort 44229 AppInfo: AppId 4655 is UNKNOWN
Dec 13 20:54:17 snort 44229 AppId
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 2312, for 0x83f728b60 0x2073d9165880
Dec 13 20:54:17 snort 44229 AppInfo: AppId 2312 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 2314, for 0x83f728b60 0x2073d9165880
Dec 13 20:54:17 snort 44229 AppInfo: AppId 2314 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5336, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5336 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5337, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5337 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5338, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5338 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5339, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5339 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5340, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5340 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5341, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5341 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5342, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5342 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5343, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5343 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5344, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5344 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5345, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5345 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5346, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5346 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5347, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5347 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5348, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5348 is UNKNOWN
Dec 13 20:54:17 snort 44229 Invalid direct service AppId, 5349, for 0x83f728b60 0x2073d9167800
Dec 13 20:54:17 snort 44229 AppInfo: AppId 5349 is UNKNOWN
Dec 13 20:54:25 snort 44229 FATAL ERROR: /usr/local/etc/snort/snort_44557_igc1/rules/snort.rules(12558) Rule options must be enclosed in '(' and ')'. -
@feins said in Snort intermittent Crash and snort Deamon stopped.:
Dec 13 20:54:25 snort 44229 FATAL ERROR: /usr/local/etc/snort/snort_44557_igc1/rules/snort.rules(12558) Rule options must be enclosed in '(' and ')'.
This line tells you the source of your problem. You have an invalid rule syntax on line #12558 in the file
/usr/local/etc/snort/snort_44557_igc1/rules/snort.rules.If you are creating your own rules, or using some script provided by someone else to create AppID rules, that is likely the source of your problem.
-
But I never customize any rules.
All the rules are default. -
@feins said in Snort intermittent Crash and snort Deamon stopped.:
But I never customize any rules.
All the rules are default.Well, you very clearly have a rule syntax error. Snort is telling you exactly what it does not like right there in the system log. It is giving you the offending line number.
Open up that file in an editor and copy and paste the offending line back here and let's see what the rule's SID is and what category it is published in.
The Snort 2.9.x rules are published by the Snort Vulnerability Research Team and hosted on Amazon Web Services infrastructure. The Snort GUI package code pulls rules updates from there. I would expect that if there were an actual problem in the rules file that thousands of Snort users around the world would be complaining about it. That would include the approximately 20,000 or so Snort users on pfSense. I've seen no other posts here with a similar problem.
Thus that leads me to conclude your issue is specific to your configuration. The most likely cause of such a problem is customizing the rules. You have not in some manner attempted to use Snort3 rules have you? You cannot use Snort3 products on pfSense because Snort on pfSense is version 2.9.x.
-
I never create any rules myself all the rules are from the Snort Lan Categories.
The only thing i did is to disable the rules from alerts that cause my application been block only.Here the rules from the syntax 12558.
alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.is-a-teacher .com Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|is-a-teacher|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,help.dyn.com/list-of-dyn-dns-pro-remote-access-domain-names/; classtype:bad-unknown; sid:2042426; rev:2; metadata:attack_target Client_and_Server, created_at 2022_12_08, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_12_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1568, mitre_technique_name Dynamic_Resolution;)
-
@feins said in Snort intermittent Crash and snort Deamon stopped.:
I never create any rules myself all the rules are from the Snort Lan Categories.
The only thing i did is to disable the rules from alerts that cause my application been block only.Here the rules from the syntax 12558.
alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.is-a-teacher .com Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|is-a-teacher|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,help.dyn.com/list-of-dyn-dns-pro-remote-access-domain-names/; classtype:bad-unknown; sid:2042426; rev:2; metadata:attack_target Client_and_Server, created_at 2022_12_08, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_12_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1568, mitre_technique_name Dynamic_Resolution;)
I'm working on a Suricata issue at the moment, so give me a little time to reconfigure my test VM for Snort and I will test this rule. It appears to be coming from the ET-INFO category. Looking over it, I don't see any problem with the syntax.
