Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort rule disable and enable button not working/all rules enabled/rule format

    pfSense Packages
    2
    3
    1922
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iamzam last edited by

      I have searched the forums for this particular problem and couldn't find anything like it;

      On the most recent pfsense AMD64 snapshot (2.1-DEVELOPMENT built on Wed Sep 7 12:44:48 EDT 2011) with snort 2.9.0.5 and the most recent snort free rules, i was attempting to disable rule 1047 (snort_web-misc.rules "WEB-MISC Netscape Enterprise DOS") by first clicking on the category id (snort_web-misc.rules) link like this:

      https://<pfsense-host>/snort/snort_rules.php?id=0&openruleset=/usr/local/etc/snort/<snort_rule_interface>/rules/snort_web-misc.rules

      and then in the individual rule list by clicking the disable/enable red "X" link like this:

      https://<pfsense-host>/snort/snort_rules.php?id=0&openruleset=/usr/local/etc/snort/<snort_rule_interface>/rules/snort_web-misc.rules&act=toggle&ids=33

      The page refreshed and the rule was still enabled, but the "proto" column field had a # prepended so that instead of "tcp" it had "#alert" and the "tcp" was moved over to the next field to the right (source).   I clicked it again and it prepended another one and moved some of the fields over again.  Each time it added another "#" but the rule was still enabled.

      looked like this:

      1047 #alert tcp… $EXTERNAL_NET ->... $HTTP_SERVERS WEB-MISC Netscape Enterprise DOS
      1047 # #alert... tcp any... -> WEB-MISC Netscape Enterprise DOS
      1047 # #... #alert $EXTERNAL_NET... any WEB-MISC Netscape Enterprise DOS

      I was able to fix this by cllicking the edit rule button (the square "e" button to the right of each rule) and removing all of the "#" at the very beginning of the rule field, then clicking the "save" button.  After the rules page refreshed the rule was now disabled.   Now I could use the red "X" to disable and enable the rule without the "#" prepending.

      I checked a few other rules in the snort_web-misc.rules category and they also had this behavior, possibly an extraneous character (CR+LF) at the beginning of the original line?

      I just checked the original file and the rules that now are able to be disabled/enabled after editing them have either a space between the # at the beginning of the line and the rule start or no space:

      disabled:

      alert tcp...

      enabled:
      alert tcp...

      The unedited rules have this:

      enabled:
      #alert tcp...

      first disable:

      #alert tcp...

      --UPDATE --
      I read a few of the other recent posts about snort and one said to reinstall snort to get the latest changes, so i did that hoping it would solve the rule disable/enable problem.  Nothing changed regarding that, the disable/enable button still doesn't work on some rules, they seem to be formatted differently than the rules edit page expects.

      Also, when i downloaded new rules the changes i had made to each individual rule were not saved and it seems that all the rules are enabled in each category that i selected on the category page...

      --UPDATE--

      I was able to get this to go away by deleting all interfaces rules and recreating them again.  After that the rule disable/enable seemed to work fine, until pfsense was updated to the latest snapshot, then all rules show as enabled again, and disabling/enabling has no effect unless you go into each rule and manually remove the leading # marks and select disable/enable radio button.

      The process to duplicate this seems to be some combination of:

      1.  setup snort normally, snort is running normally and you can enable/disable rules by clicking on the red X buttons in each category.

      2.  update pfsense, which uninstalls, reinstalls snort

      3.  snort will not start until you update the rules, which then starts snort

      4.  each rule category that you had selected to be enabled/disabled is saved, all rules in an enabled category will be shown as enabled.  Clicking the red X to disable a rule within any enabled category will have the effect above.  Some rules may not do this, but most that I checked had this behavior, i tested with the snort_web-misc.rules but even disabled rule categories show all rules as enabled...</snort_rule_interface></pfsense-host></snort_rule_interface></pfsense-host>

      1 Reply Last reply Reply Quote 0
      • M
        mdovey last edited by

        Just to confirm that I've been seeing similar behaviour - also on 64-bit pfSense.

        Matthew

        1 Reply Last reply Reply Quote 0
        • I
          iamzam last edited by

          one possible cause for this that i have found:

          I was testing the cron command that updates the rules by running it manually.  The first time i got a few duplicate SID warnings.  I went and disabled a few rules and re-enabled them and ran it again and got a bit different output.

          Line 15 is:
          enablesid

          Line 19 is:
          disablesid

          I then went and disabled/reenabled a few more rules, and when i ran the update command i got more of the WARNING: line xx in your oinkmaster_blah.conf is invalid.  All of the warning lines were either "enablesid" or "disablesid" with nothing more.

          Each time i disabled a rule and ran the update, it would add one more "disablesid" to the /usr/local/etc/snort/snort_<interface_id>/oinkmaster_<interface_id>.conf file and each time i enabled a rule and ran the update it would add one more "enablesid" to the same file.

          I'm not sure how this relates to the problem, but it seems like snort is not able to keep track of which rules are enabled/disabled properly and when it merges the updates with the current rules it formats them in a way that the web interface cannot handle.

          Output below and the oinkmaster_blah.conf at the bottom:

          first time:

          [2.1-DEVELOPMENT][admin@pfsense]/root(19): /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log
          WARNING: duplicate SID: 3017 (discarding old)
          WARNING: duplicate SID: 17462 (discarding old)
          cp: /usr/local/etc/snort/generators: No such file or directory
          cp: /usr/local/etc/snort/sid: No such file or directory
          rm: /usr/local/etc/snort/tmp/rules_bk: No such file or directory
          ls: /tmp/snort.sh.pid: No such file or directory
          rm: /tmp/snort_download_halt.pid: No such file or directory

          second time:

          [2.1-DEVELOPMENT][admin@pfsense]/root(19): /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log
          WARNING: duplicate SID: 3017 (discarding old)
          WARNING: duplicate SID: 17462 (discarding old)
          cp: /usr/local/etc/snort/generators: No such file or directory
          cp: /usr/local/etc/snort/sid: No such file or directory
          Loading /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf
          WARNING: line 15 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 19 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          Copying rules from /usr/local/etc/snort/rules… 76 files copied.
          Setting up rules structures...
          WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
          WARNING: duplicate SID in your local rules, SID 17462 exists multiple times, you may need to fix this manually!
          done.
          Processing downloaded rules...
          WARNING: duplicate SID in downloaded archive, SID=17462, only keeping rule with highest 'rev'
          disabled 0, enabled 0, modified 0, total=18870
          Setting up rules structures...
          WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
          WARNING: duplicate SID in your local rules, SID 17462 exists multiple times, you may need to fix this manually!
          done.
          Comparing new files to the old ones... done.
          Updating local rules files... done.
          rm: /usr/local/etc/snort/tmp/rules_bk: No such file or directory
          ls: /tmp/snort.sh.pid: No such file or directory
          rm: /tmp/snort_download_halt.pid: No such file or directory

          third time:

          [2.1-DEVELOPMENT][admin@pfsense]/root(24): /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log
          WARNING: duplicate SID: 3017 (discarding old)
          WARNING: duplicate SID: 17462 (discarding old)
          cp: /usr/local/etc/snort/generators: No such file or directory
          cp: /usr/local/etc/snort/sid: No such file or directory
          Loading /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf
          WARNING: line 15 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 16 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 17 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 18 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 19 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 20 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 21 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 22 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 26 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 27 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 28 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 29 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 30 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 31 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 32 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 33 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          Copying rules from /usr/local/etc/snort/rules… 76 files copied.
          Setting up rules structures...
          WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
          WARNING: duplicate SID in your local rules, SID 17462 exists multiple times, you may need to fix this manually!
          done.
          Processing downloaded rules...
          WARNING: duplicate SID in downloaded archive, SID=17462, only keeping rule with highest 'rev'
          disabled 0, enabled 0, modified 0, total=18870
          Setting up rules structures...
          WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
          WARNING: duplicate SID in your local rules, SID 17462 exists multiple times, you may need to fix this manually!
          done.
          Comparing new files to the old ones... done.
          Updating local rules files... done.
          rm: /usr/local/etc/snort/tmp/rules_bk: No such file or directory
          ls: /tmp/snort.sh.pid: No such file or directory
          rm: /tmp/snort_download_halt.pid: No such file or directory

          fourth time:

          [2.1-DEVELOPMENT][admin@pfsense]/root(33): /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log
          WARNING: duplicate SID: 3017 (discarding old)
          WARNING: duplicate SID: 17462 (discarding old)
          cp: /usr/local/etc/snort/generators: No such file or directory
          cp: /usr/local/etc/snort/sid: No such file or directory
          Loading /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf
          WARNING: line 15 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 16 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 17 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 18 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 19 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 20 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 21 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 22 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 23 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 27 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 28 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 29 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 30 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 31 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 32 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 33 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 34 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          WARNING: line 35 in /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf is invalid, ignoring
          Copying rules from /usr/local/etc/snort/rules… 76 files copied.
          Setting up rules structures...
          WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
          WARNING: duplicate SID in your local rules, SID 17462 exists multiple times, you may need to fix this manually!
          done.
          Processing downloaded rules...
          WARNING: duplicate SID in downloaded archive, SID=17462, only keeping rule with highest 'rev'
          disabled 0, enabled 0, modified 0, total=18870
          Setting up rules structures...
          WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
          WARNING: duplicate SID in your local rules, SID 17462 exists multiple times, you may need to fix this manually!
          done.
          Comparing new files to the old ones... done.
          Updating local rules files... done.
          rm: /usr/local/etc/snort/tmp/rules_bk: No such file or directory
          ls: /tmp/snort.sh.pid: No such file or directory
          rm: /tmp/snort_download_halt.pid: No such file or directory

          [2.1-DEVELOPMENT][admin@pfsense]/root(35): cat /usr/local/etc/snort/snort_49866_em0/oinkmaster_49866_em0.conf

          ###########################################
          #                                         #

          this is auto generated on snort updates

          #                                         #
          ###########################################

          path = /bin:/usr/bin:/usr/local/bin

          update_files = .rules$|.config$|.conf$|.txt$|.map$

          url = dir:///usr/local/etc/snort/rules

          enablesid
          enablesid
          enablesid
          enablesid
          enablesid
          enablesid
          enablesid
          enablesid
          enablesid

          disablesid
          disablesid
          disablesid
          disablesid
          disablesid
          disablesid
          disablesid
          disablesid
          disablesid</interface_id></interface_id>

          1 Reply Last reply Reply Quote 0
          • First post
            Last post