Snort 2.9.7.0 pkg v3.2.1 Update Release Notes



  • Snort 2.9.7.0 pkg v3.2.1 Update

    An update for the Snort package has been posted.  This update upgrades the underlying Snort binary to version 2.9.7.0, fixes two bugs and adds two new features to the Snort package.

    A preview thread posted earlier shows how to use the new OpenAppID feature (has screenshots).  Here is the link to that thread: https://forum.pfsense.org/index.php?topic=84227.0.

    When upgrading an existing Snort installation, please be sure and wait for the successful restart confirmation message before leaving the screen.  Leaving the screen too soon can result in the final install step getting skipped, and Snort will disappear from the SERVICES menu!

    New Features

    • Add support for new OpenAppID preprocessor.  This allows Snort to detect over 2400 applications and alert on their traffic.

    • Add new option on GLOBAL SETTINGS tab to toggle verbose Snort start-up logging.  The new setting defaults to "off".  When enabled, Snort will output detailed information on its startup progress to the firewall system log.

    Bug Fixes

    • Cron task for cleaning up old perfmon stats logs misses some files and never deletes them

    • The snort.sh script used to auto-start Snort and/or Barnyard2 on reboot loads binaries from /usr/local/bin instead of using the PBI wrappers in /usr/pbi/snort__{arch}_/bin.



  • The OpenAppID  URL error message is gone and it does successfully download the OpenAppID Detectors.

    However, the URL box that you show in the other thread still is not there.

    To update to pkg v3.2.1 (from pkg v3.2) , I just did a reinstall GUI components.  Also cleared browser cache.




  • I followed the onscreen directions exactly to get the error to go away.  Once enabled and saved, go to the Updates tab, and in the section titled UPDATE YOUR RULE SET, click the Update button (Force would probably work too).  I waited for Snort to restart, then once it had I waited a bit longer until I got a message about AppID being enabled.

    Now when I go back to the Global Settings tab, I see
    VER:    Installed Detection Package Version=255
    in the OpenAppID section.



  • @priller:

    The OpenAppID  URL error message is gone and it does successfully download the OpenAppID Detectors.

    However, the URL box that you show in the other thread still is not there.

    To update to pkg v3.2.1 (from pkg v3.2) , I just did a reinstall GUI components.  Also cleared browser cache.

    The VRT now have a more permanent URL for the download, so there was no longer a need for an editable URL (at least not for now).  That was the source of the earlier error.  I removed the box for the URL, but forgot to also remove the validation code as well.

    When you enable the OpenAppID download, then go to the UPDATES tab and click UPDATE to fetch the files.

    Bill



  • The OpenAppID feature is brand new to Snort, so we will all have to learn about it together.  Please share your experience and any useful rules in this thread.

    There are some examples on the VRT Blog web site along with a bash one-line command to dump out all the available applications.  Here is a link:  http://blog.snort.org/2014/03/firing-up-openappid.html

    Bill


  • Banned

    Getting this in the rules…

    Dec 20 14:51:17 snort[58337]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31344_em0/rules/snort.rules(2979) Unknown rule option: 'ssl_version'.
    Dec 20 14:51:16 SnortStartup[58055]: Snort START for WAN(31344_em0)…
    Dec 20 14:45:03 check_reload_status: Syncing firewall
    Dec 20 14:45:02 php: /snort/snort_download_rules.php: [Snort] The Rules update has finished.
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Building new sig-msg.map file for WAN…
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] See '/var/log/snort/WAN_disabled_preproc_rules.log' for list of auto-disabled rules.
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Warning: auto-disabled 146 rules due to disabled preprocessor dependencies.
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Checking flowbit rules dependent on disabled preprocessors for: WAN…
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Dec 20 14:45:00 php: /snort/snort_download_rules.php: [Snort] See '/var/log/snort/WAN_disabled_preproc_rules.log' for list of auto-disabled rules.
    Dec 20 14:45:00 php: /snort/snort_download_rules.php: [Snort] Warning: auto-disabled 2000 rules due to disabled preprocessor dependencies.
    Dec 20 14:44:51 php: /snort/snort_download_rules.php: [Snort] Checking for rules dependent on disabled preprocessors for: WAN…
    Dec 20 14:44:46 php: /snort/snort_download_rules.php: [Snort] Updating rules configuration for: WAN …
    Dec 20 14:44:40 php: /snort/snort_download_rules.php: [Snort] Emerging Threats Open rules file update downloaded successfully
    Dec 20 14:44:38 php: /snort/snort_download_rules.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
    Dec 20 14:44:37 php: /snort/snort_download_rules.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
    Dec 20 14:44:34 php: /snort/snort_download_rules.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz…
    Dec 20 14:44:34 php: /snort/snort_download_rules.php: [Snort] Snort VRT rules file update downloaded successfully
    Dec 20 14:43:02 php: /snort/snort_download_rules.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2970.tar.gz…



  • @Supermule:

    Getting this in the rules…

    Dec 20 14:51:17 snort[58337]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31344_em0/rules/snort.rules(2979) Unknown rule option: 'ssl_version'.
    Dec 20 14:51:16 SnortStartup[58055]: Snort START for WAN(31344_em0)…
    Dec 20 14:45:03 check_reload_status: Syncing firewall
    Dec 20 14:45:02 php: /snort/snort_download_rules.php: [Snort] The Rules update has finished.
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Building new sig-msg.map file for WAN…
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] See '/var/log/snort/WAN_disabled_preproc_rules.log' for list of auto-disabled rules.
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Warning: auto-disabled 146 rules due to disabled preprocessor dependencies.
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Checking flowbit rules dependent on disabled preprocessors for: WAN…
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Dec 20 14:45:00 php: /snort/snort_download_rules.php: [Snort] See '/var/log/snort/WAN_disabled_preproc_rules.log' for list of auto-disabled rules.
    Dec 20 14:45:00 php: /snort/snort_download_rules.php: [Snort] Warning: auto-disabled 2000 rules due to disabled preprocessor dependencies.
    Dec 20 14:44:51 php: /snort/snort_download_rules.php: [Snort] Checking for rules dependent on disabled preprocessors for: WAN…
    Dec 20 14:44:46 php: /snort/snort_download_rules.php: [Snort] Updating rules configuration for: WAN …
    Dec 20 14:44:40 php: /snort/snort_download_rules.php: [Snort] Emerging Threats Open rules file update downloaded successfullyi
    Dec 20 14:44:38 php: /snort/snort_download_rules.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
    Dec 20 14:44:37 php: /snort/snort_download_rules.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
    Dec 20 14:44:34 php: /snort/snort_download_rules.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz…
    Dec 20 14:44:34 php: /snort/snort_download_rules.php: [Snort] Snort VRT rules file update downloaded successfully
    Dec 20 14:43:02 php: /snort/snort_download_rules.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2970.tar.gz…

    SSL preprocessor is likely disabled.  It is on the PREPROCESSORS tab in the General Preprocessors section down near the bottom of the page.

    Anytime you see an unknown rule option error message, that likely means a needed preproc is disabled.

    Bill



  • Just to let you know that when I upgraded from Snort 2.9.6.2 pkg v3.1.5 to Snort 2.9.7.0 pkg v3.2.1 using the Reinstall Snort package button.

    I got this:

    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_smtp_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ssl_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_sip_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_gtp_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ssh_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_dce2_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_dns_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_pop_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!

    Snort was running.
    I stopped it and re-started it without any issues.


  • Banned

    Preproc was ENABLED….

    Disabled it and Snort started with no issues. I believe there is an error in the rule.

    @bmeeks:

    @Supermule:

    Getting this in the rules…

    Dec 20 14:51:17 snort[58337]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31344_em0/rules/snort.rules(2979) Unknown rule option: 'ssl_version'.
    Dec 20 14:51:16 SnortStartup[58055]: Snort START for WAN(31344_em0)…
    Dec 20 14:45:03 check_reload_status: Syncing firewall
    Dec 20 14:45:02 php: /snort/snort_download_rules.php: [Snort] The Rules update has finished.
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Building new sig-msg.map file for WAN…
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] See '/var/log/snort/WAN_disabled_preproc_rules.log' for list of auto-disabled rules.
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Warning: auto-disabled 146 rules due to disabled preprocessor dependencies.
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Checking flowbit rules dependent on disabled preprocessors for: WAN…
    Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Dec 20 14:45:00 php: /snort/snort_download_rules.php: [Snort] See '/var/log/snort/WAN_disabled_preproc_rules.log' for list of auto-disabled rules.
    Dec 20 14:45:00 php: /snort/snort_download_rules.php: [Snort] Warning: auto-disabled 2000 rules due to disabled preprocessor dependencies.
    Dec 20 14:44:51 php: /snort/snort_download_rules.php: [Snort] Checking for rules dependent on disabled preprocessors for: WAN…
    Dec 20 14:44:46 php: /snort/snort_download_rules.php: [Snort] Updating rules configuration for: WAN …
    Dec 20 14:44:40 php: /snort/snort_download_rules.php: [Snort] Emerging Threats Open rules file update downloaded successfullyi
    Dec 20 14:44:38 php: /snort/snort_download_rules.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
    Dec 20 14:44:37 php: /snort/snort_download_rules.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
    Dec 20 14:44:34 php: /snort/snort_download_rules.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz…
    Dec 20 14:44:34 php: /snort/snort_download_rules.php: [Snort] Snort VRT rules file update downloaded successfully
    Dec 20 14:43:02 php: /snort/snort_download_rules.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2970.tar.gz…

    SSL preprocessor is likely disabled.  It is on the PREPROCESSORS tab in the General Preprocessors section down near the bottom of the page.

    Anytime you see an unknown rule option error message, that likely means a needed preproc is disabled.

    Bill



  • @RonpfS:

    Just to let you know that when I upgraded from Snort 2.9.6.2 pkg v3.1.5 to Snort 2.9.7.0 pkg v3.2.1 using the Reinstall Snort package button.

    I got this:

    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_smtp_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ssl_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_sip_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_gtp_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ssh_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_dce2_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_dns_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_pop_preproc file. Snort might error out!
    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!

    Snort was running.
    I stopped it and re-started it without any issues.

    This binary version of Snort changes the directory name where the preproc libraries are stored.  The snort.conf file has to be updated with the new name (and the new directory has to be created and populated).  That should have happened automatically prior to Snort startup on your box, but if you got errors then for some reason it did not.  Stopping and then manually restarting via the START/STOP icons will forcibly create the new snort.conf file.

    Bill



  • Oups i forgot to include a few lines above:

    2014-12-21 14:43:39 User.Error 172.24.xx.yyy Dec 21 14:43:39 php: /pkg_mgr_install.php: [Snort] Finished rebuilding installation from saved settings…
    2014-12-21 14:43:39 Daemon.Info 172.24.xx.yyy Dec 21 14:43:39 SnortStartup[5089]: Snort START for Wan Snort(18203_pppoe1)…

    2014-12-21 14:44:07  User.Error  172.24.xx.yyy  Dec 21 14:44:07 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
    ...
    2014-12-21 14:44:07  User.Error  172.24.xx.yyy  Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!

    2014-12-21 14:49:37 Daemon.Error 172.24.xx.yyy Dec 21 14:49:37 snort[15120]: *** Caught Term-Signal
    2014-12-21 14:49:37 Kernel.Info 172.24.xx.yyy Dec 21 14:49:37 kernel: pppoe1: promiscuous mode disabled
    2014-12-21 14:49:45 User.Error 172.24.xx.yyy Dec 21 14:49:45 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(pppoe1)…
    2014-12-21 14:49:45 User.Error 172.24.xx.yyy Dec 21 14:49:45 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    2014-12-21 14:50:00 Cron.Info 172.24.xx.yyy Dec 21 14:50:00 /usr/sbin/cron[71660]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc)
    2014-12-21 14:50:06 User.Error 172.24.xx.yyy Dec 21 14:50:06 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    2014-12-21 14:50:08 User.Error 172.24.xx.yyy Dec 21 14:50:08 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    2014-12-21 14:50:11 User.Error 172.24.xx.yyy Dec 21 14:50:11 php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(pppoe1)…
    2014-12-21 14:50:34 Kernel.Info 172.24.xx.yyy Dec 21 14:50:34 kernel: pppoe1: promiscuous mode enabled

    So no problem after a stopping and restarting Snort. :-)


  • Banned

    I get this after update

    I whitelist an IP range in aliases but Snort still blocks it…






  • @Supermule:

    I get this after update

    I whitelist an IP range in aliases but Snort still blocks it…

    Where is that IP range included in the Pass List for the interface?  Check on the INTERFACE SETTINGS tab for that interface and verify the IP range is showing up when you click View List beside the PASS LIST drop-down box. Simply calling an Alias "whitelist" is not sufficient.  You must assign the alias to a Pass List, then assign that Pass List to an interface and finally restart the interface for the whitelist to become effective.

    Bill


  • Banned

    I have :(




  • @Supermule:

    I have :(

    No changes at all were made to anything related to the PASS LIST logic (neither in the GUI code nor in the binary).  Did this just start recently?  Is this a new IP alias recently added?  Can you try defining it as 81.19.246.0/26 instead of as 81.19.246.1/26?

    Bill


  • Banned

    Yes I will try that. :)



  • Hi,

    After enabling OpenAppID on my snort install, I'm seeing the following messages in System Logs:

    
    Jan 1 12:05:39	snort[9245]: AppInfo: AppId 3861 is UNKNOWN
    Jan 1 10:10:00	snort[55346]: invalid appid in appStatRecord (367)
    Jan 1 09:30:00	snort[55346]: invalid appid in appStatRecord (502)
    Jan 1 09:20:00	snort[55346]: invalid appid in appStatRecord (502)
    Jan 1 09:15:00	snort[55346]: invalid appid in appStatRecord (502)
    Jan 1 09:10:00	snort[55346]: invalid appid in appStatRecord (367)
    Jan 1 09:10:00	snort[55346]: invalid appid in appStatRecord (367)
    Jan 1 09:05:00	snort[55346]: invalid appid in appStatRecord (367)
    Jan 1 03:35:00	snort[55346]: invalid appid in appStatRecord (502)
    Dec 31 23:10:00	snort[95021]: invalid appid in appStatRecord (186)
    Dec 31 22:59:35	snort[95021]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
    Dec 31 10:33:11	snort[61151]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
    Dec 30 20:36:51	snort[42521]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
    
    

    Hoping to get some help with these messages. :)

    I'm running 2.1.5-RELEASE (amd64) with snort 2.9.7.0 pkg v3.2.1. All rule sets are up to date.

    Thanks!



  • @chasba:

    Hi,

    After enabling OpenAppID on my snort install, I'm seeing the following messages in System Logs:

    
    Jan 1 12:05:39	snort[9245]: AppInfo: AppId 3861 is UNKNOWN
    Jan 1 10:10:00	snort[55346]: invalid appid in appStatRecord (367)
    Jan 1 09:30:00	snort[55346]: invalid appid in appStatRecord (502)
    Jan 1 09:20:00	snort[55346]: invalid appid in appStatRecord (502)
    Jan 1 09:15:00	snort[55346]: invalid appid in appStatRecord (502)
    Jan 1 09:10:00	snort[55346]: invalid appid in appStatRecord (367)
    Jan 1 09:10:00	snort[55346]: invalid appid in appStatRecord (367)
    Jan 1 09:05:00	snort[55346]: invalid appid in appStatRecord (367)
    Jan 1 03:35:00	snort[55346]: invalid appid in appStatRecord (502)
    Dec 31 23:10:00	snort[95021]: invalid appid in appStatRecord (186)
    Dec 31 22:59:35	snort[95021]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
    Dec 31 10:33:11	snort[61151]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
    Dec 30 20:36:51	snort[42521]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
    
    

    Hoping to get some help with these messages. :)

    I'm running 2.1.5-RELEASE (amd64) with snort 2.9.7.0 pkg v3.2.1. All rule sets are up to date.

    Thanks!

    I suspect these are errors within the OpenAppID detector scripts themselves.  They would have come down via the latest update to those scripts (which happens on the same schedule as other rule updates).  Try searching the Snort mailing list via Google or posting on the list to see if others have the same issue.  There are sometimes syntax errors that creep into the rules as the authors are sometimes working fast and furious to get them out there.

    Bill



  • @bmeeks:

    @chasba:

    Hi,

    After enabling OpenAppID on my snort install, I'm seeing the following messages in System Logs:

    
    Jan 1 12:05:39	snort[9245]: AppInfo: AppId 3861 is UNKNOWN
    Jan 1 10:10:00	snort[55346]: invalid appid in appStatRecord (367)
    Jan 1 09:30:00	snort[55346]: invalid appid in appStatRecord (502)
    Jan 1 09:20:00	snort[55346]: invalid appid in appStatRecord (502)
    Jan 1 09:15:00	snort[55346]: invalid appid in appStatRecord (502)
    Jan 1 09:10:00	snort[55346]: invalid appid in appStatRecord (367)
    Jan 1 09:10:00	snort[55346]: invalid appid in appStatRecord (367)
    Jan 1 09:05:00	snort[55346]: invalid appid in appStatRecord (367)
    Jan 1 03:35:00	snort[55346]: invalid appid in appStatRecord (502)
    Dec 31 23:10:00	snort[95021]: invalid appid in appStatRecord (186)
    Dec 31 22:59:35	snort[95021]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
    Dec 31 10:33:11	snort[61151]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
    Dec 30 20:36:51	snort[42521]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
    
    

    Hoping to get some help with these messages. :)

    I'm running 2.1.5-RELEASE (amd64) with snort 2.9.7.0 pkg v3.2.1. All rule sets are up to date.

    Thanks!

    I suspect these are errors within the OpenAppID detector scripts themselves.  They would have come down via the latest update to those scripts (which happens on the same schedule as other rule updates).  Try searching the Snort mailing list via Google or posting on the list to see if others have the same issue.  There are sometimes syntax errors that creep into the rules as the authors are sometimes working fast and furious to get them out there.

    Bill

    I am also seeing lots those type of error in my system log.

    
    Jan 1 17:45:02	snort[70325]: invalid appid in appStatRecord (186)
    Jan 1 17:40:00	snort[70325]: invalid appid in appStatRecord (1603)
    Jan 1 17:40:00	snort[52449]: invalid appid in appStatRecord (1603)
    Jan 1 17:29:50	snort[70325]: Add service failed to create state
    Jan 1 17:29:50	snort[70325]: Failed to add to hash: 192.168.2.1:17:67
    Jan 1 17:28:42	snort[70325]: Add service failed to create state
    Jan 1 17:28:42	snort[70325]: Failed to add to hash: 192.168.2.1:17:67
    Jan 1 17:25:04	snort[70325]: Add service failed to create state
    Jan 1 17:25:04	snort[70325]: Failed to add to hash: 192.168.2.1:17:67
    Jan 1 17:10:01	snort[52449]: invalid appid in appStatRecord (186)
    Jan 1 17:10:01	snort[70325]: invalid appid in appStatRecord (186)
    Jan 1 17:09:53	snort[70325]: Add service failed to create state
    Jan 1 17:09:53	snort[70325]: Failed to add to hash: 192.168.2.1:17:67
    Jan 1 17:05:01	snort[52449]: invalid appid in appStatRecord (186)
    Jan 1 17:05:01	snort[70325]: invalid appid in appStatRecord (186)
    Jan 1 17:00:00	snort[70325]: invalid appid in appStatRecord (1603)
    Jan 1 17:00:00	snort[52449]: invalid appid in appStatRecord (1603)
    
    


  • I'm getting the same errors on the App ID

    Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 740 is UNKNOWN
    Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 740 is UNKNOWN
    Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 3861 is UNKNOWN
    Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 3885 is UNKNOWN
    Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 699 is UNKNOWN

    Jan 12 12:06:41 fw1 check_reload_status: Syncing firewall
    Jan 12 17:45:00 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 17:45:00 fw1 snort[21362]: invalid appid in appStatRecord (2734)
    Jan 12 17:45:00 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 17:45:00 fw1 snort[26114]: invalid appid in appStatRecord (2734)
    Jan 12 18:10:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:10:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 18:15:02 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 18:15:02 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:20:16 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:20:16 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 18:25:10 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 18:25:10 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:35:01 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:35:01 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 18:40:02 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 18:40:02 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:45:00 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:45:00 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:00:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 19:00:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:05:04 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:05:04 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 19:15:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:15:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 19:45:05 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 19:45:05 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:50:11 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:50:15 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 19:55:13 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:55:13 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 20:02:29 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 20:04:38 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 22:20:02 fw1 snort[21362]: invalid appid in appStatRecord (2734)
    Jan 12 22:20:02 fw1 snort[26114]: invalid appid in appStatRecord (2734)
    Jan 12 22:30:04 fw1 snort[26114]: invalid appid in appStatRecord (186)
    Jan 12 22:30:04 fw1 snort[21362]: invalid appid in appStatRecord (186)
    Jan 13 10:00:01 fw1 snort[58024]: invalid appid in appStatRecord (3885)



  • @TieT:

    I'm getting the same errors on the App ID

    Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 740 is UNKNOWN
    Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 740 is UNKNOWN
    Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 3861 is UNKNOWN
    Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 3885 is UNKNOWN
    Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 699 is UNKNOWN

    Jan 12 12:06:41 fw1 check_reload_status: Syncing firewall
    Jan 12 17:45:00 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 17:45:00 fw1 snort[21362]: invalid appid in appStatRecord (2734)
    Jan 12 17:45:00 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 17:45:00 fw1 snort[26114]: invalid appid in appStatRecord (2734)
    Jan 12 18:10:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:10:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 18:15:02 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 18:15:02 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:20:16 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:20:16 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 18:25:10 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 18:25:10 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:35:01 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:35:01 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 18:40:02 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 18:40:02 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:45:00 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 18:45:00 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:00:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 19:00:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:05:04 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:05:04 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 19:15:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:15:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 19:45:05 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 19:45:05 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:50:11 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:50:15 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 19:55:13 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 19:55:13 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 20:02:29 fw1 snort[26114]: invalid appid in appStatRecord (502)
    Jan 12 20:04:38 fw1 snort[21362]: invalid appid in appStatRecord (502)
    Jan 12 22:20:02 fw1 snort[21362]: invalid appid in appStatRecord (2734)
    Jan 12 22:20:02 fw1 snort[26114]: invalid appid in appStatRecord (2734)
    Jan 12 22:30:04 fw1 snort[26114]: invalid appid in appStatRecord (186)
    Jan 12 22:30:04 fw1 snort[21362]: invalid appid in appStatRecord (186)
    Jan 13 10:00:01 fw1 snort[58024]: invalid appid in appStatRecord (3885)

    These are issues within the OpenAppID templates themselves that are updated periodically from the Snort.org web site.  When you see these kinds of errors, it means the latest update to the templates contains some errors.  You can check the Snort VRT mail list to see if others are reporting issues.  It's also likely these will magically fix themselves in a future update of the OpenAppID templates.

    Bill



  • Hello,

    I tried to get OpenAppId working, but it doesn't want to…

    My snort is working, VRT & OpenAppId rules are downloaded. VRT alerts appear.
    I followed this tutorial : https://forum.pfsense.org/index.php?topic=84227.0
    When I go to reddit, nothing is logged in alerts. Nothing useful in the firewall logs neither.

    I'm running pfsense 2.1.5 with the latest version of snort.

    Any idea ?

    Thanks !


Log in to reply