Snort difficulties



  • I'm getting an error in my system logs from snort when it starts up:
    Nov 18 18:59:32 snort2c[4588]: snort2c running in daemon mode pid: 4588
    Nov 18 18:59:32 snort2c[4588]: snort2c running in daemon mode pid: 4588
    Nov 18 18:59:32 snort[4585]: FATAL ERROR: /usr/local/etc/snort/rules/scan.rules(41): Cannot check flow connection for non-TCP traffic
    Nov 18 18:59:28 snort[4585]:
    Nov 18 18:59:32 snort[4585]: FATAL ERROR: /usr/local/etc/snort/rules/scan.rules(41): Cannot check flow connection for non-TCP traffic

    I've listed the file in question below - I assume the (41) means either rule or line 41 but they seem ok to me. Anyone?

    # distributed under the GNU General Public License (the "GPL Rules").  The
    # VRT Certified Rules contained in this file are the property of
    # Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
    # The GPL Rules created by Sourcefire, Inc. are the property of
    # Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
    # Reserved.  All other GPL Rules are owned and copyrighted by their
    # respective owners (please see www.snort.org/contributors for a list of
    # owners and their respective copyrights).  In order to determine what
    # rules are VRT Certified Rules or GPL Rules, please refer to the VRT
    # Certified Rules License Agreement.
    #
    #
    # $Id: scan.rules,v 1.38 2007/02/01 22:19:13 vrtbuild Exp $
    #-----------
    # SCAN RULES
    #-----------
    # These signatures are representitive of network scanners.  These include
    # port scanning, ip mapping, and various application scanners.
    #
    # NOTE: This does NOT include web scanners such as whisker.  Those are
    # in web*
    #
    
    alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;)
    # alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:7;)
    # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flow:stateless; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:8;)
    # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:8;)
    # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:7;)
    # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:8;)
    # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:8;)
    # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:8;)
    # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; reference:arachnids,441; classtype:attempted-recon; sid:630; rev:7;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:8;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:8;)
    alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version request"; flow:to_client; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:3;)
    alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout"; flow:to_server; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; reference:arachnids,408; classtype:bad-unknown; sid:635; rev:4;)
    alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb"; flow:to_server; content:"cybercop"; reference:arachnids,363; classtype:bad-unknown; sid:636; rev:2;)
    alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner UDP Probe"; flow:to_server; content:"|0A|help|0A|quite|0A|"; reference:arachnids,308; reference:url,www.netiq.com/products/vsm/default.asp; classtype:attempted-recon; sid:637; rev:6;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5;)
    # alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP service discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:1917; rev:8;)
    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6;)
    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SCAN UPnP service discover attempt"; flow:to_server,established; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:8081; rev:1;)
    


  • Disable all Categories and just enable the Scan Category.  If you get no error, then its not the scan rules that have a problem, but rather how the scan rules work with other rule categories.

    I couldnt get Netbios to work but disabling some other categories allowed it to run then.

    You have to find a balance on what categories are most important to you and your network.



  • I'm getting this same problem too, started a few days ago.  I disabled all rules except scan rules as the previous poster suggested, and the error persists.



  • The problem is that in the latest snort rules someone has added flow tracking to rules for udp etc which can't be done by this snort version

    eg

    alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version request"; flow:to_client; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:3;)
    

    Note the flow:to_client; bit

    To fix it you need to find the offending line and remove the flow:to_client; bit

    You are right the bit in brackets in the error is the line in the rules file with the offending rule on it eg (41). This is not rule num 41 as there is loads of licence junk on the top of the file.

    To fix it I open the console then goto
    #cd /usr/local/etc/snort/rules/

    then open it in the bsd ee editor eg for scan.rules
    ee scan.rules
    Thie ee editor gives you the line num you are on near the top like this

    L: 41 C: 1 ====================================================================

    you could use the WebGUI edit file section but you will have to count the lines



  • So how does this affect Snort as a whole for us?
    I'm guessing the rules with this new (currently unsupported) parameter will simply go unparsed after it whines about it in logs.



  • Nope if snort gets one of these rules it c**ps is self and dies on startup and won't go until you fix or remove the rule



  • Well shit.
    Time for an update =\



  • Anyway to avoid this? Maybe someone has an older / fixed ruleset uploaded somewhere we could use?

    Just re-installed (after an hdd failure) pfsense and I am now getting this too



  • I believe I have found the problem. The snort package is attempting to use the rules for the current version of snort. However, the packaged version is 2.6. There are compatible rule files for the older versions of snort (http://www.snort.org/pub-bin/downloads.cgi). I made the following changes and it seems to have corrected the problems with the rules.

    Change /usr/local/www/snort_download_rules.php lines 182 and 183.

    $snort_filename = "snortrules-snapshot-CURRENT{$premium_subscriber}.tar.gz";
    $snort_filename_md5 = "snortrules-snapshot-CURRENT.tar.gz.md5";

    To

    $snort_filename = "snortrules-snapshot-2.6{$premium_subscriber}.tar.gz";
    $snort_filename_md5 = "snortrules-snapshot-2.6.tar.gz.md5";

    The best fix would probably be to update the snort package with the latest version of snort. However, this seems to allow the current version to work properly.

    Jim L.



  • Definitely fixed it Hilozer, many thanks.

    A Snort Package Update would be fantastic.



  • Fixed for me too, thanks a lot mate for the effort!

    EDIT: weird thing here, now with a fresh install (on the same hdd/connection) snort uses more than 2x more cpu. Actually its hogging the hole machine. With the same settings (meaning ac-bnfa with the same rules) it didnt do this before. Wonder if its related to this ruleset or some other kind of bug.

    My specs:

    10mb/2.5mb dsl bridged to pfsense
    PIII 866mhz
    512mb sdram
    3com 905 + rt8139
    I know the rt8139 sucks, but it has been working fine for me since now.
    I have an spare 905 card i could swap if it makes any difference

    Any toughts?

    …altough this is giving me an good excuse to upgrade this machine. pIII 866/512mb isnt that fast anyway.



  • I'm not seeing a problem with the latest ruleset.  Snort was blocking 4 IPs at the time of this screenshot.




  • @Hilozer:

    Change /usr/local/www/snort_download_rules.php lines 182 and 183.

    $snort_filename = "snortrules-snapshot-CURRENT{$premium_subscriber}.tar.gz";
    $snort_filename_md5 = "snortrules-snapshot-CURRENT.tar.gz.md5";

    To

    $snort_filename = "snortrules-snapshot-2.6{$premium_subscriber}.tar.gz";
    $snort_filename_md5 = "snortrules-snapshot-2.6.tar.gz.md5";

    The best fix would probably be to update the snort package with the latest version of snort. However, this seems to allow the current version to work properly.

    It would be shame to fix it for manual updates only to have it replaced on the next auto-update.  Therefore, there is another place to change as well:
    /usr/local/pkg/snort_check_for_rule_updates.php

    The change is completely analogous to the quoted change and shouldn't need additional explanation.

    Dave


Log in to reply