New Snort Package - Issues & Suggested Fixes



  • Hi,

    First of all thanks for updating the package and the great job of providing this functionality.

    For reference this is the Snort version installed:

    ,,_    -> Snort! <-
      o"  )~  Version 2.9.2.3 IPv6 GRE (Build 205) FreeBSD
      ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
              Copyright (C) 1998-2012 Sourcefire, Inc., et al.
              Using libpcap version 1.1.1
              Using PCRE version: 8.30 2012-02-04
              Using ZLIB version: 1.2.3

    1. It isn't updating the latest snort rules even with a subscription oinkcode. I am not sure where the pulledpork/oinkmaster configuration file is but I think you need to point it at the 2.9.2.3 rules. New rules and new rules files such as INDICATION_OBFUSCATION by VRT are not available.

    2. Javascript deobfuscation (deobfuscation) should be enabled in the HTTP preprocessor. Not really an issue but something worth while doing as it helps to remove obfuscation layers on potential web client/malware type attacks: http://blog.snort.org/2012/01/snort-2920-javascript-normalization.html. It is just a normalize_javascript added to the HTTP preprocessor as shown in the previous blog yet the returns are so great.

    3. ERROR: ByteExtract variable '^Authorization\x3A\s*Basic[ \t]+' in rule [3:13308] is used before it is defined.
      Fatal Error, Quitting..

    I don't even have this rule enabled yet it appears to be causing issues loading the shared object rules (in fact I have disabled all shared object rules: WEB-MISC Apache HTTP server auth_ldap logging function format string vulnerability

    include $RULE_PATH/emerging-attack_response.rules
    include $RULE_PATH/emerging-current_events.rules
    include $RULE_PATH/emerging-info.rules
    include $RULE_PATH/emerging-malware.rules
    include $RULE_PATH/emerging-netbios.rules
    include $RULE_PATH/emerging-scan.rules
    include $RULE_PATH/emerging-shellcode.rules
    include $RULE_PATH/emerging-trojan.rules
    include $RULE_PATH/emerging-user_agents.rules
    include $RULE_PATH/emerging-web_client.rules
    include $RULE_PATH/emerging-worm.rules
    include $RULE_PATH/snort_attack-responses.rules
    include $RULE_PATH/snort_backdoor.rules
    include $RULE_PATH/snort_bad-traffic.rules
    include $RULE_PATH/snort_blacklist.rules
    include $RULE_PATH/snort_botnet-cnc.rules
    include $RULE_PATH/snort_exploit.rules
    include $RULE_PATH/snort_file-identify.rules
    include $RULE_PATH/snort_netbios.rules
    include $RULE_PATH/snort_rpc.rules
    include $RULE_PATH/snort_rservices.rules
    include $RULE_PATH/snort_specific-threats.rules
    include $RULE_PATH/snort_spyware-put.rules
    include $RULE_PATH/snort_web-activex.rules
    include $RULE_PATH/snort_web-client.rules
    include $RULE_PATH/snort_x11.rules

    Thank you again for providing this pfsense package.

    Kindest Regards,
    Kevin Ross



  • for item 1, look at my post here if you dont mind changing some code:
    http://forum.pfsense.org/index.php/topic,50313.msg268002.html#msg268002

    i dont have a sub, so i can't download 2923 rules, only 2922; which produced the same error as your item 3



  • Is there a fix for #3 yet?



  • @miles267:

    Is there a fix for #3 yet?

    with latest re-install, it looks like it is



  • Getting following error with latest install of snort after i do a Rule update.

    snort[15232]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_1267_em0//usr/local/etc/snort/snort_1267_em0/rules/snort_attack-responses.rules": No such file or directory.

    Cjb



  • @cjbujold:

    Getting following error with latest install of snort after i do a Rule update.

    snort[15232]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_1267_em0//usr/local/etc/snort/snort_1267_em0/rules/snort_attack-responses.rules": No such file or directory.

    Cjb

    goto every page and click 'Save'…also make sure you check off every pre-processor



  • @Cino:

    goto every page and click 'Save'…also make sure you check off every pre-processor

    Checking off pre-processor just kill the good use of Snort!

    Besides is NOT the solution.



  • @Gradius:

    @Cino:

    goto every page and click 'Save'…also make sure you check off every pre-processor

    Checking off pre-processor just kill the good use of Snort!

    Besides is NOT the solution.

    i didn't mean to turn off every pre-processor… check off, meaning to click on every check box...



  • The fun continues.  Now an even newer snort package has been released: Stable 2.9.2.3 pkg v. 2.2 platform: 2.0.  Not able to install due to barnyard2-1.9_2 failure.  Please advise of resolution.

    Beginning package installation for snort…
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading snort and its dependencies...
    Checking for package installation...
    Downloading http://files.pfsense.org/packages/8/All/barnyard2-1.9_2.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/barnyard2-1.9_2.tbz.
    of barnyard2-1.9_2 failed!

    Installation aborted.Backing up libraries...
    Removing package...
    Starting package deletion for mysql-client-5.1.53...done.
    Starting package deletion for barnyard2-1.9_2...done.
    Starting package deletion for snort-2.9.2.3...done.
    Starting package deletion for perl-threaded-5.12.4_4...done.
    Removing snort components...
    Menu items... done.
    Services... done.
    Loading package instructions...
    Include file snort.inc could not be found for inclusion.
    Deinstall commands...
    Not executing custom deinstall hook because an include is missing.
    Removing package instructions...done.
    Auxiliary files... done.
    Package XML... done.
    Configuration... done.
    Cleaning up... Failed to install package.

    Installation halted.



  • Come on, what is happening with the various "failed to install" Snort packages lately… isn't there any debug and unit/system testing done before releasing it to the wild (we the end-users) with no return possibility to the previous version that was working?

    I'm very sorry but even though it is a package it is not the least package. IMHO not good for the credibility of PFSense and almost an amateuristic way of working ....



  • @Ibor:

    Come on, what is happening with the various "failed to install" Snort packages lately… isn't there any debug and unit/system testing done before releasing it to the wild (we the end-users) with no return possibility to the previous version that was working?

    I'm very sorry but even though it is a package it is not the least package. IMHO not good for the credibility of PFSense and almost an amateuristic way of working ....

    . . .or a way to roll back to the last working package.  Three days so far and no relief.  Please just put the last working version back with the proper updates until this is all fixed.  We all appreciate the voluntary contributions to the user community, but many of us have considerable $$$ invested in hardware and are dependent upon pfSense, Snort and other packages for our security.



  • Not sure why everything has to be changed in production packages and there is no dev/test environments for pfSense packages.
    Considerable time and effort is wasted to troubleshoot and find out issue is with the package and not the user install and only to find out later that the package was changed/updated.

    I appreciate the effort in providing voluntary help in developing packages.. but production environment is not the right place to update without testing the package with a good number of test users.

    Also, why is there not a dedicated repository with 8.0, 8.1..etc compiled packages. Packages are referenced to FreeBSD sites rather than storing and referencing local pfsense repository. Anytime there is change at FreeBSD site pfSense packages get corrupted.





  • I added the javascript feature to the standard config option in newest snort.

    For #1 i do not have an oink code so when its present it will get bumped to that version.



  • Hi,

    installing 2.9.2.3 pkg 2.2 worked after uninstalling and new installing the package on my system (with removing all settings).

    But since the new version of snort is running on my network the are lots of (http_inspect) alerts… Is there any way to tune the preprocessor http_inspect without using suppression or turning http inspect off?
    Trying to add code to "Advanced configuration pass through" to change the preprocessor settings just doesnt let the interface start. It tells me that I can't configure the global settings twice.

    Thanks in advance...



  • @moe2006:

    Hi,

    installing 2.9.2.3 pkg 2.2 worked after deinstalling and new installing the package on my system (with removing all settings).

    But since the new version of snort is running on my network the are lots of (http_inspect) alerts… Is there any way to tune the preprocessor http_inspect without using suppression or turning http inspect off?
    Trying to add code to "Advanced configuration pass through" to change the preprocessor settings just doesnt let the interface start. It tells me that I can't configure the global settings twice.

    Thanks in advance...

    Moe, good find.  Have you been able to resolve this?  I too have encountered this same issue and have had no choice to add suppression rules for each HHTP inspect alert else SNORT fails to run for longer than a few minutes at a time.  Since adding the suppress rules, it seems to stay running longer though fails at some point overnight and I must re-start.  Have yet to pinpoint the cause.

    Regardless, managing snort has become a painful process.  If only there were a way within the UI to gracefully uninstall 2.9.2.3 pkg v. 2.2 and return to the last stable version.

    Thanks.



  • @miles267:

    @moe2006:

    Hi,

    installing 2.9.2.3 pkg 2.2 worked after deinstalling and new installing the package on my system (with removing all settings).

    But since the new version of snort is running on my network the are lots of (http_inspect) alerts… Is there any way to tune the preprocessor http_inspect without using suppression or turning http inspect off?
    Trying to add code to "Advanced configuration pass through" to change the preprocessor settings just doesnt let the interface start. It tells me that I can't configure the global settings twice.

    Thanks in advance...

    Moe, good find.  Have you been able to resolve this?  I too have encountered this same issue and have had no choice to add suppression rules for each HHTP inspect alert else SNORT fails to run for longer than a few minutes at a time.  Since adding the suppress rules, it seems to stay running longer though fails at some point overnight and I must re-start.  Have yet to pinpoint the cause.

    Regardless, managing snort has become a painful process.  If only there were a way within the UI to gracefully uninstall 2.9.2.3 pkg v. 2.2 and return to the last stable version.

    Thanks.

    Have the same preprocessor issues (AMD64). By looking at them it looks like there is some kind of decoding issue. Did not have them on the previous stable build.
    Just add these to your suppression list:

    (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

    suppress gen_id 120, sig_id 3

    (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED

    suppress gen_id 120, sig_id 6

    (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE

    suppress gen_id 120, sig_id 8

    (smtp) Base64 Decoding failed.

    suppress gen_id 124, sig_id 10

    (smtp) Quoted-Printable Decoding failed

    suppress gen_id 124, sig_id 11

    (smtp) 7bit/8bit/binary/text Extraction failed.

    suppress gen_id 124, sig_id 12



  • @digdug3:

    @miles267:

    @moe2006:

    Hi,

    installing 2.9.2.3 pkg 2.2 worked after deinstalling and new installing the package on my system (with removing all settings).

    But since the new version of snort is running on my network the are lots of (http_inspect) alerts… Is there any way to tune the preprocessor http_inspect without using suppression or turning http inspect off?
    Trying to add code to "Advanced configuration pass through" to change the preprocessor settings just doesnt let the interface start. It tells me that I can't configure the global settings twice.

    Thanks in advance...

    Moe, good find.  Have you been able to resolve this?  I too have encountered this same issue and have had no choice to add suppression rules for each HHTP inspect alert else SNORT fails to run for longer than a few minutes at a time.  Since adding the suppress rules, it seems to stay running longer though fails at some point overnight and I must re-start.  Have yet to pinpoint the cause.

    Regardless, managing snort has become a painful process.  If only there were a way within the UI to gracefully uninstall 2.9.2.3 pkg v. 2.2 and return to the last stable version.

    Thanks.

    Have the same preprocessor issues (AMD64). By looking at them it looks like there is some kind of decoding issue. Did not have them on the previous stable build.
    Just add these to your suppression list:

    (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

    suppress gen_id 120, sig_id 3

    (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED

    suppress gen_id 120, sig_id 6

    (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE

    suppress gen_id 120, sig_id 8

    (smtp) Base64 Decoding failed.

    suppress gen_id 124, sig_id 10

    (smtp) Quoted-Printable Decoding failed

    suppress gen_id 124, sig_id 11

    (smtp) 7bit/8bit/binary/text Extraction failed.

    suppress gen_id 124, sig_id 12

    Okay, suppressing these alerts seems to fix the problem for a while, but you always risk to miss attacks which use these kind of decoding… Hope this will be fixed when the snort package team has finished the snort_dev tests.

    Moreover, when starting snort I'm getting some of these messages never seen before:
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13790, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13790, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 15117, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 15117, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 18660, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 18660, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 17300, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 17300, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 16563, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 16563, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13802, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13802, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13975, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13975, GID: 3 not registered properly. Disabling this rule.
    Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13879, GID: 3 not registered properly. Disabling this rule.

    perhaps something is wrong with the encoding / decoding…



  • I have the following in my suppress list and still getting the http_inspect alerts:

    
    suppress gen_id 120, sig_id 3
    suppress gen_id 120, sig_id 6
    suppress gen_id 120, sig_id 8
    suppress gen_id 124, sig_id 10
    suppress gen_id 124, sig_id 11
    suppress gen_id 124, sig_id 12
    suppress gen_id 1, sig_id 2013054
    
    






  • (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

    suppress gen_id 120, sig_id 3

    (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED

    suppress gen_id 120, sig_id 6

    (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE

    suppress gen_id 120, sig_id 8

    (smtp) Base64 Decoding failed.

    suppress gen_id 124, sig_id 10

    (smtp) Quoted-Printable Decoding failed

    suppress gen_id 124, sig_id 11

    (smtp) 7bit/8bit/binary/text Extraction failed.

    suppress gen_id 124, sig_id 12

    Thank You
    I also received those http_inspect alerts.
    Pfsense 2.0.1 X64 + Snort 2.9.2.3 pkg v. 2.5.1

    I also had to add these as well:
    #(http_inspect) UNKNOWN METHOD - 0
    suppress gen_id 119, sig_id 31
    #(http_inspect) SIMPLE REQUEST
    suppress gen_id 119, sig_id 32


Locked