Simple rule causes snort to crash



  • Hi,

    I would to do some testing with custom rules in Snort. So the idea was starting easy, but Snort is crashing (kernel: pid xxxxx (snort), uid 0: exited on signal 11) when the rule matches.

    The idea of the rule is to alert when I access a specific webserver (on port 80) and the alert should only be shown once every 30 seconds.

    This is the rule I made:
    alert tcp any any -> x.x.x.x 80 (msg:"Test rule"; threshold: type limit, track by_src, seconds 30, count 1; sid:1;)

    I'm running PFSense 2.1 (i386) and Snort version 2.9.5.5 pkg v3.0.1.

    Any suggestions in what's causing this crash?

    Thanks,
    Sander



  • Reverse seconds and counts and add a classtype and revision in the end and try again:
    alert tcp any any -> x.x.x.x 80 (msg:"Test rule"; threshold:type limit, track by_src, count 1 , seconds 60; classtype:bad-unknown; sid:1; rev:1;)



  • Thanks! It works now. I have added "classtype:bad-unknown; rev:1;" and the alert shows up now.  :)



  • @Sander88:

    Thanks! It works now. I have added "classtype:bad-unknown; rev:1;" and the alert shows up now.  :)

    Quite some time back the Snort VRT folks must have changed the Snort binary such that now it requires a classtype: in a rule or it will segfault and crash when the rule fires.  I think in times past the classtype parameter was optional, but apparently not anymore.  Unfortunately very few if any of the Snort custom rules examples show the inclusion of the classtype parameter  :(


Log in to reply