Snort Rule Update Problem



  • Hey guys, I'm having a problem with snort & its ruleset(s). I run a Teamspeak 3 server & there is this one rule for msn messenger that it keeps blocking people for. some of the people it blocks aren't even using MSN messenger, & I’m not sure what triggers the rule, but it’s basically a false positive . So I just decided to disable the rule.

    However the problem I’m having is that when I update my ruleset(s), it gets to this one step, where it says “reapplying enabled/disabled rules”, however it fails to reapply my disabled msn messenger rule & then people start getting banned again.

    Obviously snort has the programming there to reapply enabled/disabled rules after an update, it’s just not happening. Is anyone else having this problem on the latest snort release?

    AMD64, 2.1 Developmental Release



  • Yes, I have the same problem with the latest Snort 2.9.0.5 pkg v. 2.0 (on 2.0).  I have currently enabled the snort_icmp-info.rules category.  But it was too harsh, so I have disabled:
    SID 382 ICMP PING Windows
    SID 385 ICMP traceroute
    SID 384 ICMP PING
    SID 449 ICMP Time-To-Live Exceeded in Transit <– which is a false positive that occurs on a traceroute
    SID 408 ICMP Echo Reply
    I did the same on each of my pair of syncing pfSense boxes, and then, as I was suspicious that the disabled flag was not getting remembered I made a backup of this rules file.  That was yesterday.  Snort auto-updated the rules at midnight last night.  I just diffed the new file with my backup from yesterday, and the new file on 1 of my pfSense has all of these rules no longer disabled, and the other pfSense has all of these no longer disabled, except for 1 rule!  This rule has been changed to lose the space after the # though, like this (final difference):

    # diff -u snort_icmp-info.rules.bak snort_icmp-info.rules
    --- snort_icmp-info.rules.bak   2011-10-20 13:42:52.000000000 +0100
    +++ snort_icmp-info.rules       2011-10-21 00:04:03.000000000 +0100
    @@ -44,9 +44,9 @@
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; reference:arachnids,163; classtype:misc-activity; sid:379; rev:7;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Seer Windows"; itype:8; content:"|88 04|              "; depth:32; reference:arachnids,166; classtype:misc-activity; sid:380; rev:7;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6;)
    -# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; reference:arachnids,169; classtype:misc-activity; sid:382; rev:7;)
    -# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute"; itype:8; ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:4;)
    -# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0; itype:8; classtype:misc-activity; sid:384; rev:5;)
    +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; reference:arachnids,169; classtype:misc-activity; sid:382; rev:7;)
    +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute"; itype:8; ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:4;)
    +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0; itype:8; classtype:misc-activity; sid:384; rev:5;)
     alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Address Mask Reply"; icode:0; itype:18; classtype:misc-activity; sid:386; rev:5;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Reply undefined code"; icode:>0; itype:18; classtype:misc-activity; sid:387; rev:7;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request"; icode:0; itype:17; classtype:misc-activity; sid:388; rev:5;)
    @@ -69,7 +69,7 @@
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; classtype:misc-activity; sid:405; rev:6;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; classtype:misc-activity; sid:406; rev:6;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; classtype:misc-activity; sid:407; rev:7;)
    -# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:408; rev:5;)
    +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:408; rev:5;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply undefined code"; icode:>0; itype:0; classtype:misc-activity; sid:409; rev:7;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:410; rev:5;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here"; icode:0; itype:34; classtype:misc-activity; sid:411; rev:5;)
    @@ -105,7 +105,7 @@
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP"; icode:0; itype:39; classtype:misc-activity; sid:445; rev:5;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP undefined code"; icode:>0; itype:39; classtype:misc-activity; sid:446; rev:7;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench undefined code"; icode:>0; itype:4; classtype:misc-activity; sid:448; rev:7;)
    -# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:449; rev:6;)
    +#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:449; rev:6;)
     alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:450; rev:8;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply"; icode:0; itype:14; classtype:misc-activity; sid:451; rev:5;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply undefined code"; icode:>0; itype:14; classtype:misc-activity; sid:452; rev:7;)
    #
    


  • Snort 2.9.0.5 on amd64 2.0 is forgetting my disabled rules on each update as well.

    Looking at the "autogenerated" /usr/local/etc/snort/snort_nnnnn_em0/oinkmaster_nnnnn_em0.conf file I see many lines starting with "disablesid" but with no sid number following the command. Maybe there's in issue with whatever process generates that file.



  • Here's what the gui is writing to oinkmaster.conf every time snort updates:

    
    enablesid
    enablesid
    
    disablesid 2002878
    disablesid 2007695
    disablesid 2001595
    disablesid 2002157
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    disablesid
    
    

    Even though there is a valid line for 2002878 and 2007695 I am seeing those alerts.



  • I was browsing through the pfSense bug tracker & see someone has actually already reported this. I commented on the bug stating I was having the same problem. Guess all we can do is wait for it to be fixed. However at this time I can't even get Snort operational so the point is moot.


Log in to reply