Snort 2.6.8.1 HTTP Preprocessor issues



  • Hi Forum,

    Im running pfSense 1.2.3 in couple of production environments and manage them for clients remotely via VPN access on monthly basis. Recently, i have been having issues with Snort when it comes to HTTP Preprocessor.

    Here are the packages installed on all boxes ( same for about 28 individual boxes )

    $ pkg_info
    apache-2.2.11_7    Version 2.2.x of Apache web server with prefork MPM.
    apr-1.3.5.1.3.7_3  Apache Portability Library
    apr-gdbm-db42-1.3.5.1.3.7_3 Apache Portability Library
    cyrus-sasl-2.1.23_3 RFC 2222 SASL (Simple Authentication and Security Layer)
    db41-4.1.25_4      The Berkeley DB package, revision 4.1
    db42-4.2.52_5      The Berkeley DB package, revision 4.2
    expat-2.0.1        XML 1.0 parser written in C
    gd-2.0.35,1        A graphics library for fast creation of images
    gdbm-1.8.3_3        The GNU database manager
    jpeg-6b_4          IJG's jpeg compression utilities
    libdnet-1.11_2      A simple interface to low level networking routines
    libiconv-1.11_1    A character set conversion library
    lightsquid-1.7.1_1  A light and fast web based squid proxy traffic analyser
    lua-5.1.3_3        Small, compilable scripting language providing easy access
    mysql-client-5.0.77 Multithreaded SQL database (client)
    mysql-client-5.0.83 Multithreaded SQL database (client)
    mysql-client-5.1.50_1 Multithreaded SQL database (client)
    nmap-4.76          Port scanning utility for large networks
    ntop-3.3.8          Network monitoring tool with command line and web interface
    openldap-sasl-client-2.4.25_1 Open source LDAP client implementation with SASL2 support
    p5-GD-2.39          A perl5 interface to Gd Graphics Library version2
    pcre-7.8            Perl Compatible Regular Expressions library
    pcre-7.9            Perl Compatible Regular Expressions library
    pcre-8.10          Perl Compatible Regular Expressions library
    perl-5.10.1_3      Practical Extraction and Report Language
    perl-5.8.8_1        Practical Extraction and Report Language
    perl-5.8.9_3        Practical Extraction and Report Language
    pkg-config-0.23_1  A utility to retrieve information about installed libraries
    postgresql-client-8.2.13 PostgreSQL database (client)
    snort-2.8.6.1      Lightweight network intrusion detection system
    sqlite3-3.6.10      An SQL database engine in a C library w/ Tcl wrapper
    sqlite3-3.6.14.2    An SQL database engine in a C library
    squid-2.7.9        HTTP Caching Proxy
    squid_radius_auth-1.10 RADIUS authenticator for squid proxy 2.5 and later

    That's where the snort error comes in. If i disable the HTTP preprocessor then SNORT works great. After searching and looking at the two posts i found, its highlighted that its happening due to a missing Zlib?? The pfSense 1.2.3 wont let me add the lzlib package to test it out. By the way, im only using emerging threats and not using Snort rules because they wont download anyways but thats ok. The real issue is with the HTTP Preprocessor. Even tried to remove and reinstall the snort package but doesnt work and error stays for good.

    Dec 16 20:32:39    SnortStartup[10486]: Snort HARD STOP For 19560_xl0…
    Dec 16 20:32:39    SnortStartup[10477]: Snort HARD STOP For 19560_xl0…
    Dec 16 20:32:38    SnortStartup[10467]: Snort HARD START For 19560_xl0…
    Dec 16 20:32:38    snort[10466]: FATAL ERROR: /usr/local/etc/snort/snort_19560_xl0/snort.conf(151) => Invalid keyword 'compress_depth' for 'global' configuration.
    Dec 16 20:32:38    snort[10466]: FATAL ERROR: /usr/local/etc/snort/snort_19560_xl0/snort.conf(151) => Invalid keyword 'compress_depth' for 'global' configuration.
    Dec 16 20:32:38    snort[10466]: Max file size: 2147483648
    Dec 16 20:32:38    snort[10466]: Max file size: 2147483648
    Dec 16 20:32:38    snort[10466]: Dump Summary: No
    Dec 16 20:32:38    snort[10466]: Dump Summary: No
    Dec 16 20:32:38    snort[10466]: Packet Count: 10000
    Dec 16 20:32:38    snort[10466]: Packet Count: 10000
    Dec 16 20:32:38    snort[10466]: SnortFile Mode: INACTIVE
    Dec 16 20:32:38    snort[10466]: SnortFile Mode: INACTIVE
    Dec 16 20:32:38    snort[10466]: File Mode: /var/log/snort/snort_19560_xl0.stats
    Dec 16 20:32:38    snort[10466]: File Mode: /var/log/snort/snort_19560_xl0.stats

    Without the HTTP Preprocessor, here is the Snort output running fine.

    Dec 16 20:43:22    snort[11793]: Not Using PCAP_FRAMES
    Dec 16 20:43:22    snort[11793]: Not Using PCAP_FRAMES
    Dec 16 20:43:22    snort[11793]: Snort initialization completed successfully (pid=11793)
    Dec 16 20:43:22    snort[11793]: Snort initialization completed successfully (pid=11793)
    Dec 16 20:43:22    snort[11793]: –== Initialization Complete ==--
    Dec 16 20:43:22    snort[11793]: –== Initialization Complete ==--
    Dec 16 20:43:22    snort[11793]:
    Dec 16 20:43:22    snort[11793]:
    Dec 16 20:43:22    snort[11793]: [ Number of null byte prefixed patterns trimmed: 751 ]
    Dec 16 20:43:22    snort[11793]: [ Number of null byte prefixed patterns trimmed: 751 ]
    Dec 16 20:43:22    snort[11793]: +–-----------------------------------------------
    Dec 16 20:43:22    snort[11793]: +–-----------------------------------------------
    Dec 16 20:43:22    snort[11793]: | Transitions : 163.96K
    Dec 16 20:43:22    snort[11793]: | Transitions : 163.96K
    Dec 16 20:43:22    snort[11793]: | Match Lists : 66.42K
    Dec 16 20:43:22    snort[11793]: | Match Lists : 66.42K
    Dec 16 20:43:22    snort[11793]: | Patterns : 59.12K
    Dec 16 20:43:22    snort[11793]: | Patterns : 59.12K
    Dec 16 20:43:22    snort[11793]: | Memory : 302.38Kbytes

    The issue is not present with ver 2.0 of pfSense but unfortunately i cant do updates at the moment nor in the long run because 1.2.3 has worked like a charm without any glitches in the past few months and i am very familiar with it. I tried to have my own repo using git but strangely its the same issue and i believe it has to be the package itself. Is it ? Please advise on the problem and its rectification. Thank you very much.

    • Mal


  • Can you post the output of the following command.

    snort -V

    You should see zlib in the output like so.

    ,,_    -> Snort! <-
      o"  )~  Version 2.9.0.5 IPv6 GRE (Build 135) FreeBSD
      ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
              Copyright (C) 1998-2011 Sourcefire, Inc., et al.
              Using libpcap version 1.1.1
              Using PCRE version: 8.12 2011-01-15
              Using ZLIB version: 1.2.3



  • Thank you for looking into this James. Here is the output:

    snort -V

    ,,_    -> Snort! <-
      o"  )~  Version 2.8.6.1 (Build 39)  FreeBSD
      ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-t
    eam
              Copyright (C) 1998-2010 Sourcefire, Inc., et al.
              Using PCRE version: 7.9 2009-04-11

    ___  Built Date for Snort on Pfsense 1.2.3 is August 24, 2010.
    / f \  Orion IPS Output Code Copyright (C) 2009-2010 Robert Zelaya.
    / p _
    /Sense
    _

        _
    _/  Using Snort.org dynamic plugins and Orion IPS source.

    #

    Strange that i dont see the libs from your paste output :/



  • Anyone? Scott?



  • You cannot do anything because snort has to be rebuilt to support that directive.

    So either you build snort yourself with the option enabled or you live without the http preprocessor rules.



  • It was fine before until it started happening on all deployed devices. Thats what i dont understand. Even from the pkg_mgr, i didnt notice any change in the version. And if 1.2.3 is not under going any further development because 2.0 is under full production, then why the version change issue in the first place? Please help me understand.


Locked