Snort rule disable and enable button not working/all rules enabled/rule format

iamzam

I have searched the forums for this particular problem and couldn't find anything like it;

On the most recent pfsense AMD64 snapshot (2.1-DEVELOPMENT built on Wed Sep 7 12:44:48 EDT 2011) with snort 2.9.0.5 and the most recent snort free rules, i was attempting to disable rule 1047 (snort_web-misc.rules "WEB-MISC Netscape Enterprise DOS") by first clicking on the category id (snort_web-misc.rules) link like this:

https://<pfsense-host>/snort/snort_rules.php?id=0&openruleset=/usr/local/etc/snort/<snort_rule_interface>/rules/snort_web-misc.rules

and then in the individual rule list by clicking the disable/enable red "X" link like this:

https://<pfsense-host>/snort/snort_rules.php?id=0&openruleset=/usr/local/etc/snort/<snort_rule_interface>/rules/snort_web-misc.rules&act=toggle&ids=33

The page refreshed and the rule was still enabled, but the "proto" column field had a # prepended so that instead of "tcp" it had "#alert" and the "tcp" was moved over to the next field to the right (source).   I clicked it again and it prepended another one and moved some of the fields over again.  Each time it added another "#" but the rule was still enabled.

looked like this:

1047 #alert tcp… $EXTERNAL_NET ->... $HTTP_SERVERS WEB-MISC Netscape Enterprise DOS
1047 # #alert... tcp any... -> WEB-MISC Netscape Enterprise DOS
1047 # #... #alert $EXTERNAL_NET... any WEB-MISC Netscape Enterprise DOS

I was able to fix this by cllicking the edit rule button (the square "e" button to the right of each rule) and removing all of the "#" at the very beginning of the rule field, then clicking the "save" button.  After the rules page refreshed the rule was now disabled.   Now I could use the red "X" to disable and enable the rule without the "#" prepending.

I checked a few other rules in the snort_web-misc.rules category and they also had this behavior, possibly an extraneous character (CR+LF) at the beginning of the original line?

I just checked the original file and the rules that now are able to be disabled/enabled after editing them have either a space between the # at the beginning of the line and the rule start or no space:

disabled:

alert tcp...

enabled:
alert tcp...

The unedited rules have this:

enabled:
#alert tcp...

first disable:

#alert tcp...

--UPDATE --
I read a few of the other recent posts about snort and one said to reinstall snort to get the latest changes, so i did that hoping it would solve the rule disable/enable problem.  Nothing changed regarding that, the disable/enable button still doesn't work on some rules, they seem to be formatted differently than the rules edit page expects.

Also, when i downloaded new rules the changes i had made to each individual rule were not saved and it seems that all the rules are enabled in each category that i selected on the category page...

--UPDATE--

I was able to get this to go away by deleting all interfaces rules and recreating them again.  After that the rule disable/enable seemed to work fine, until pfsense was updated to the latest snapshot, then all rules show as enabled again, and disabling/enabling has no effect unless you go into each rule and manually remove the leading # marks and select disable/enable radio button.

The process to duplicate this seems to be some combination of:

1.  setup snort normally, snort is running normally and you can enable/disable rules by clicking on the red X buttons in each category.

2.  update pfsense, which uninstalls, reinstalls snort

3.  snort will not start until you update the rules, which then starts snort

4.  each rule category that you had selected to be enabled/disabled is saved, all rules in an enabled category will be shown as enabled.  Clicking the red X to disable a rule within any enabled category will have the effect above.  Some rules may not do this, but most that I checked had this behavior, i tested with the snort_web-misc.rules but even disabled rule categories show all rules as enabled...</snort_rule_interface></pfsense-host></snort_rule_interface></pfsense-host>

mdovey

Just to confirm that I've been seeing similar behaviour - also on 64-bit pfSense.

Matthew

iamzam

one possible cause for this that i have found:

I was testing the cron command that updates the rules by running it manually.  The first time i got a few duplicate SID warnings.  I went and disabled a few rules and re-enabled them and ran it again and got a bit different output.

Line 15 is:
enablesid

Line 19 is:
disablesid

I then went and disabled/reenabled a few more rules, and when i ran the update command i got more of the WARNING: line xx in your oinkmaster_blah.conf is invalid.  All of the warning lines were either "enablesid" or "disablesid" with nothing more.

Each time i disabled a rule and ran the update, it would add one more "disablesid" to the /usr/local/etc/snort/snort_<interface_id>/oinkmaster_<interface_id>.conf file and each time i enabled a rule and ran the update it would add one more "enablesid" to the same file.

I'm not sure how this relates to the problem, but it seems like snort is not able to keep track of which rules are enabled/disabled properly and when it merges the updates with the current rules it formats them in a way that the web interface cannot handle.

Output below and the oinkmaster_blah.conf at the bottom:

first time:

[2.1-DEVELOPMENT][admin@pfsense]/root(19): /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log
WARNING: duplicate SID: 3017 (discarding old)
WARNING: duplicate SID: 17462 (discarding old)
cp: /usr/local/etc/snort/generators: No such file or directory
cp: /usr/local/etc/snort/sid: No such file or directory
rm: /usr/local/etc/snort/tmp/rules_bk: No such file or directory
ls: /tmp/snort.sh.pid: No such file or directory
rm: /tmp/snort_download_halt.pid: No such file or directory

second time:

[2.1-DEVELOPMENT][admin@pfsense]/root(19): /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log
WARNING: duplicate SID: 3017 (discarding old)
WARNING: duplicate SID: 17462 (discarding old)
cp: /usr/local/etc/snort/generators: No such file or directory
cp: /usr/local/etc/snort/sid: No such file or directory
Loading /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf
WARNING: line 15 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 19 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
Copying rules from /usr/local/etc/snort/rules… 76 files copied.
Setting up rules structures...
WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
WARNING: duplicate SID in your local rules, SID 17462 exists multiple times, you may need to fix this manually!
done.
Processing downloaded rules...
WARNING: duplicate SID in downloaded archive, SID=17462, only keeping rule with highest 'rev'
disabled 0, enabled 0, modified 0, total=18870
Setting up rules structures...
WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
WARNING: duplicate SID in your local rules, SID 17462 exists multiple times, you may need to fix this manually!
done.
Comparing new files to the old ones... done.
Updating local rules files... done.
rm: /usr/local/etc/snort/tmp/rules_bk: No such file or directory
ls: /tmp/snort.sh.pid: No such file or directory
rm: /tmp/snort_download_halt.pid: No such file or directory

third time:

[2.1-DEVELOPMENT][admin@pfsense]/root(24): /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log
WARNING: duplicate SID: 3017 (discarding old)
WARNING: duplicate SID: 17462 (discarding old)
cp: /usr/local/etc/snort/generators: No such file or directory
cp: /usr/local/etc/snort/sid: No such file or directory
Loading /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf
WARNING: line 15 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 16 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 17 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 18 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 19 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 20 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 21 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 22 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 26 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 27 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 28 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 29 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 30 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 31 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 32 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 33 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
Copying rules from /usr/local/etc/snort/rules… 76 files copied.
Setting up rules structures...
WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
WARNING: duplicate SID in your local rules, SID 17462 exists multiple times, you may need to fix this manually!
done.
Processing downloaded rules...
WARNING: duplicate SID in downloaded archive, SID=17462, only keeping rule with highest 'rev'
disabled 0, enabled 0, modified 0, total=18870
Setting up rules structures...
WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
WARNING: duplicate SID in your local rules, SID 17462 exists multiple times, you may need to fix this manually!
done.
Comparing new files to the old ones... done.
Updating local rules files... done.
rm: /usr/local/etc/snort/tmp/rules_bk: No such file or directory
ls: /tmp/snort.sh.pid: No such file or directory
rm: /tmp/snort_download_halt.pid: No such file or directory

fourth time:

[2.1-DEVELOPMENT][admin@pfsense]/root(33): /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log
WARNING: duplicate SID: 3017 (discarding old)
WARNING: duplicate SID: 17462 (discarding old)
cp: /usr/local/etc/snort/generators: No such file or directory
cp: /usr/local/etc/snort/sid: No such file or directory
Loading /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf
WARNING: line 15 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 16 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 17 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 18 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 19 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 20 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 21 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 22 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 23 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 27 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 28 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 29 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 30 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 31 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 32 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 33 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 34 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
WARNING: line 35 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
Copying rules from /usr/local/etc/snort/rules… 76 files copied.
Setting up rules structures...
WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
WARNING: duplicate SID in your local rules, SID 17462 exists multiple times, you may need to fix this manually!
done.
Processing downloaded rules...
WARNING: duplicate SID in downloaded archive, SID=17462, only keeping rule with highest 'rev'
disabled 0, enabled 0, modified 0, total=18870
Setting up rules structures...
WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
WARNING: duplicate SID in your local rules, SID 17462 exists multiple times, you may need to fix this manually!
done.
Comparing new files to the old ones... done.
Updating local rules files... done.
rm: /usr/local/etc/snort/tmp/rules_bk: No such file or directory
ls: /tmp/snort.sh.pid: No such file or directory
rm: /tmp/snort_download_halt.pid: No such file or directory

[2.1-DEVELOPMENT][admin@pfsense]/root(35): cat /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf

###########################################
#                                         #

this is auto generated on snort updates

#                                         #
###########################################

path = /bin:/usr/bin:/usr/local/bin

update_files = .rules$|.config$|.conf$|.txt$|.map$

url = dir:///usr/local/etc/snort/rules

enablesid
enablesid
enablesid
enablesid
enablesid
enablesid
enablesid
enablesid
enablesid

disablesid
disablesid
disablesid
disablesid
disablesid
disablesid
disablesid
disablesid
disablesid</interface_id></interface_id>