Snort 2.6.8.1 HTTP Preprocessor issues

malcifra

Hi Forum,

Im running pfSense 1.2.3 in couple of production environments and manage them for clients remotely via VPN access on monthly basis. Recently, i have been having issues with Snort when it comes to HTTP Preprocessor.

Here are the packages installed on all boxes ( same for about 28 individual boxes )

$ pkg_info
apache-2.2.11_7    Version 2.2.x of Apache web server with prefork MPM.
apr-1.3.5.1.3.7_3  Apache Portability Library
apr-gdbm-db42-1.3.5.1.3.7_3 Apache Portability Library
cyrus-sasl-2.1.23_3 RFC 2222 SASL (Simple Authentication and Security Layer)
db41-4.1.25_4      The Berkeley DB package, revision 4.1
db42-4.2.52_5      The Berkeley DB package, revision 4.2
expat-2.0.1        XML 1.0 parser written in C
gd-2.0.35,1        A graphics library for fast creation of images
gdbm-1.8.3_3        The GNU database manager
jpeg-6b_4          IJG's jpeg compression utilities
libdnet-1.11_2      A simple interface to low level networking routines
libiconv-1.11_1    A character set conversion library
lightsquid-1.7.1_1  A light and fast web based squid proxy traffic analyser
lua-5.1.3_3        Small, compilable scripting language providing easy access
mysql-client-5.0.77 Multithreaded SQL database (client)
mysql-client-5.0.83 Multithreaded SQL database (client)
mysql-client-5.1.50_1 Multithreaded SQL database (client)
nmap-4.76          Port scanning utility for large networks
ntop-3.3.8          Network monitoring tool with command line and web interface
openldap-sasl-client-2.4.25_1 Open source LDAP client implementation with SASL2 support
p5-GD-2.39          A perl5 interface to Gd Graphics Library version2
pcre-7.8            Perl Compatible Regular Expressions library
pcre-7.9            Perl Compatible Regular Expressions library
pcre-8.10          Perl Compatible Regular Expressions library
perl-5.10.1_3      Practical Extraction and Report Language
perl-5.8.8_1        Practical Extraction and Report Language
perl-5.8.9_3        Practical Extraction and Report Language
pkg-config-0.23_1  A utility to retrieve information about installed libraries
postgresql-client-8.2.13 PostgreSQL database (client)
snort-2.8.6.1      Lightweight network intrusion detection system
sqlite3-3.6.10      An SQL database engine in a C library w/ Tcl wrapper
sqlite3-3.6.14.2    An SQL database engine in a C library
squid-2.7.9        HTTP Caching Proxy
squid_radius_auth-1.10 RADIUS authenticator for squid proxy 2.5 and later

That's where the snort error comes in. If i disable the HTTP preprocessor then SNORT works great. After searching and looking at the two posts i found, its highlighted that its happening due to a missing Zlib?? The pfSense 1.2.3 wont let me add the lzlib package to test it out. By the way, im only using emerging threats and not using Snort rules because they wont download anyways but thats ok. The real issue is with the HTTP Preprocessor. Even tried to remove and reinstall the snort package but doesnt work and error stays for good.

Dec 16 20:32:39    SnortStartup[10486]: Snort HARD STOP For 19560_xl0…
Dec 16 20:32:39    SnortStartup[10477]: Snort HARD STOP For 19560_xl0…
Dec 16 20:32:38    SnortStartup[10467]: Snort HARD START For 19560_xl0…
Dec 16 20:32:38    snort[10466]: FATAL ERROR: /usr/local/etc/snort/snort_19560_xl0/snort.conf(151) => Invalid keyword 'compress_depth' for 'global' configuration.
Dec 16 20:32:38    snort[10466]: FATAL ERROR: /usr/local/etc/snort/snort_19560_xl0/snort.conf(151) => Invalid keyword 'compress_depth' for 'global' configuration.
Dec 16 20:32:38    snort[10466]: Max file size: 2147483648
Dec 16 20:32:38    snort[10466]: Max file size: 2147483648
Dec 16 20:32:38    snort[10466]: Dump Summary: No
Dec 16 20:32:38    snort[10466]: Dump Summary: No
Dec 16 20:32:38    snort[10466]: Packet Count: 10000
Dec 16 20:32:38    snort[10466]: Packet Count: 10000
Dec 16 20:32:38    snort[10466]: SnortFile Mode: INACTIVE
Dec 16 20:32:38    snort[10466]: SnortFile Mode: INACTIVE
Dec 16 20:32:38    snort[10466]: File Mode: /var/log/snort/snort_19560_xl0.stats
Dec 16 20:32:38    snort[10466]: File Mode: /var/log/snort/snort_19560_xl0.stats

Without the HTTP Preprocessor, here is the Snort output running fine.

Dec 16 20:43:22    snort[11793]: Not Using PCAP_FRAMES
Dec 16 20:43:22    snort[11793]: Not Using PCAP_FRAMES
Dec 16 20:43:22    snort[11793]: Snort initialization completed successfully (pid=11793)
Dec 16 20:43:22    snort[11793]: Snort initialization completed successfully (pid=11793)
Dec 16 20:43:22    snort[11793]: –== Initialization Complete ==--
Dec 16 20:43:22    snort[11793]: –== Initialization Complete ==--
Dec 16 20:43:22    snort[11793]:
Dec 16 20:43:22    snort[11793]:
Dec 16 20:43:22    snort[11793]: [ Number of null byte prefixed patterns trimmed: 751 ]
Dec 16 20:43:22    snort[11793]: [ Number of null byte prefixed patterns trimmed: 751 ]
Dec 16 20:43:22    snort[11793]: +–-----------------------------------------------
Dec 16 20:43:22    snort[11793]: +–-----------------------------------------------
Dec 16 20:43:22    snort[11793]: | Transitions : 163.96K
Dec 16 20:43:22    snort[11793]: | Transitions : 163.96K
Dec 16 20:43:22    snort[11793]: | Match Lists : 66.42K
Dec 16 20:43:22    snort[11793]: | Match Lists : 66.42K
Dec 16 20:43:22    snort[11793]: | Patterns : 59.12K
Dec 16 20:43:22    snort[11793]: | Patterns : 59.12K
Dec 16 20:43:22    snort[11793]: | Memory : 302.38Kbytes

The issue is not present with ver 2.0 of pfSense but unfortunately i cant do updates at the moment nor in the long run because 1.2.3 has worked like a charm without any glitches in the past few months and i am very familiar with it. I tried to have my own repo using git but strangely its the same issue and i believe it has to be the package itself. Is it ? Please advise on the problem and its rectification. Thank you very much.

• Mal

jamesdean

Can you post the output of the following command.

snort -V

You should see zlib in the output like so.

,,_    -> Snort! <-
  o"  )~  Version 2.9.0.5 IPv6 GRE (Build 135) FreeBSD
  ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
          Copyright (C) 1998-2011 Sourcefire, Inc., et al.
          Using libpcap version 1.1.1
          Using PCRE version: 8.12 2011-01-15
          Using ZLIB version: 1.2.3

malcifra

Thank you for looking into this James. Here is the output:

snort -V

,,_    -> Snort! <-
  o"  )~  Version 2.8.6.1 (Build 39)  FreeBSD
  ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-t
eam
          Copyright (C) 1998-2010 Sourcefire, Inc., et al.
          Using PCRE version: 7.9 2009-04-11

___  Built Date for Snort on Pfsense 1.2.3 is August 24, 2010.
/ f \  Orion IPS Output Code Copyright (C) 2009-2010 Robert Zelaya.
/ p _/Sense
_/ 
    __/  Using Snort.org dynamic plugins and Orion IPS source.

#

Strange that i dont see the libs from your paste output :/

malcifra

Anyone? Scott?

eri--

You cannot do anything because snort has to be rebuilt to support that directive.

So either you build snort yourself with the option enabled or you live without the http preprocessor rules.

malcifra

It was fine before until it started happening on all deployed devices. Thats what i dont understand. Even from the pkg_mgr, i didnt notice any change in the version. And if 1.2.3 is not under going any further development because 2.0 is under full production, then why the version change issue in the first place? Please help me understand.