Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simple rule causes snort to crash

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sander88
      last edited by

      Hi,

      I would to do some testing with custom rules in Snort. So the idea was starting easy, but Snort is crashing (kernel: pid xxxxx (snort), uid 0: exited on signal 11) when the rule matches.

      The idea of the rule is to alert when I access a specific webserver (on port 80) and the alert should only be shown once every 30 seconds.

      This is the rule I made:
      alert tcp any any -> x.x.x.x 80 (msg:"Test rule"; threshold: type limit, track by_src, seconds 30, count 1; sid:1;)

      I'm running PFSense 2.1 (i386) and Snort version 2.9.5.5 pkg v3.0.1.

      Any suggestions in what's causing this crash?

      Thanks,
      Sander

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        Reverse seconds and counts and add a classtype and revision in the end and try again:
        alert tcp any any -> x.x.x.x 80 (msg:"Test rule"; threshold:type limit, track by_src, count 1 , seconds 60; classtype:bad-unknown; sid:1; rev:1;)

        1 Reply Last reply Reply Quote 0
        • S
          Sander88
          last edited by

          Thanks! It works now. I have added "classtype:bad-unknown; rev:1;" and the alert shows up now.  :)

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @Sander88:

            Thanks! It works now. I have added "classtype:bad-unknown; rev:1;" and the alert shows up now.  :)

            Quite some time back the Snort VRT folks must have changed the Snort binary such that now it requires a classtype: in a rule or it will segfault and crash when the rule fires.  I think in times past the classtype parameter was optional, but apparently not anymore.  Unfortunately very few if any of the Snort custom rules examples show the inclusion of the classtype parameter  :(

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.