Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.7.0 pkg v3.2.1 Update Release Notes

    Scheduled Pinned Locked Moved pfSense Packages
    22 Posts 9 Posters 6.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      Snort 2.9.7.0 pkg v3.2.1 Update

      An update for the Snort package has been posted.  This update upgrades the underlying Snort binary to version 2.9.7.0, fixes two bugs and adds two new features to the Snort package.

      A preview thread posted earlier shows how to use the new OpenAppID feature (has screenshots).  Here is the link to that thread: https://forum.pfsense.org/index.php?topic=84227.0.

      When upgrading an existing Snort installation, please be sure and wait for the successful restart confirmation message before leaving the screen.  Leaving the screen too soon can result in the final install step getting skipped, and Snort will disappear from the SERVICES menu!

      New Features

      • Add support for new OpenAppID preprocessor.  This allows Snort to detect over 2400 applications and alert on their traffic.

      • Add new option on GLOBAL SETTINGS tab to toggle verbose Snort start-up logging.  The new setting defaults to "off".  When enabled, Snort will output detailed information on its startup progress to the firewall system log.

      Bug Fixes

      • Cron task for cleaning up old perfmon stats logs misses some files and never deletes them

      • The snort.sh script used to auto-start Snort and/or Barnyard2 on reboot loads binaries from /usr/local/bin instead of using the PBI wrappers in /usr/pbi/snort__{arch}_/bin.

      1 Reply Last reply Reply Quote 0
      • P
        priller
        last edited by

        The OpenAppID  URL error message is gone and it does successfully download the OpenAppID Detectors.

        However, the URL box that you show in the other thread still is not there.

        To update to pkg v3.2.1 (from pkg v3.2) , I just did a reinstall GUI components.  Also cleared browser cache.

        openapp2.jpg
        openapp2.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • S
          snm777
          last edited by

          I followed the onscreen directions exactly to get the error to go away.  Once enabled and saved, go to the Updates tab, and in the section titled UPDATE YOUR RULE SET, click the Update button (Force would probably work too).  I waited for Snort to restart, then once it had I waited a bit longer until I got a message about AppID being enabled.

          Now when I go back to the Global Settings tab, I see
          VER:    Installed Detection Package Version=255
          in the OpenAppID section.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @priller:

            The OpenAppID  URL error message is gone and it does successfully download the OpenAppID Detectors.

            However, the URL box that you show in the other thread still is not there.

            To update to pkg v3.2.1 (from pkg v3.2) , I just did a reinstall GUI components.  Also cleared browser cache.

            The VRT now have a more permanent URL for the download, so there was no longer a need for an editable URL (at least not for now).  That was the source of the earlier error.  I removed the box for the URL, but forgot to also remove the validation code as well.

            When you enable the OpenAppID download, then go to the UPDATES tab and click UPDATE to fetch the files.

            Bill

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              The OpenAppID feature is brand new to Snort, so we will all have to learn about it together.  Please share your experience and any useful rules in this thread.

              There are some examples on the VRT Blog web site along with a bash one-line command to dump out all the available applications.  Here is a link:  http://blog.snort.org/2014/03/firing-up-openappid.html

              Bill

              1 Reply Last reply Reply Quote 0
              • S
                Supermule Banned
                last edited by

                Getting this in the rules…

                Dec 20 14:51:17 snort[58337]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31344_em0/rules/snort.rules(2979) Unknown rule option: 'ssl_version'.
                Dec 20 14:51:16 SnortStartup[58055]: Snort START for WAN(31344_em0)…
                Dec 20 14:45:03 check_reload_status: Syncing firewall
                Dec 20 14:45:02 php: /snort/snort_download_rules.php: [Snort] The Rules update has finished.
                Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Building new sig-msg.map file for WAN…
                Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] See '/var/log/snort/WAN_disabled_preproc_rules.log' for list of auto-disabled rules.
                Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Warning: auto-disabled 146 rules due to disabled preprocessor dependencies.
                Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Checking flowbit rules dependent on disabled preprocessors for: WAN…
                Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Enabling any flowbit-required rules for: WAN…
                Dec 20 14:45:00 php: /snort/snort_download_rules.php: [Snort] See '/var/log/snort/WAN_disabled_preproc_rules.log' for list of auto-disabled rules.
                Dec 20 14:45:00 php: /snort/snort_download_rules.php: [Snort] Warning: auto-disabled 2000 rules due to disabled preprocessor dependencies.
                Dec 20 14:44:51 php: /snort/snort_download_rules.php: [Snort] Checking for rules dependent on disabled preprocessors for: WAN…
                Dec 20 14:44:46 php: /snort/snort_download_rules.php: [Snort] Updating rules configuration for: WAN …
                Dec 20 14:44:40 php: /snort/snort_download_rules.php: [Snort] Emerging Threats Open rules file update downloaded successfully
                Dec 20 14:44:38 php: /snort/snort_download_rules.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
                Dec 20 14:44:37 php: /snort/snort_download_rules.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
                Dec 20 14:44:34 php: /snort/snort_download_rules.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz…
                Dec 20 14:44:34 php: /snort/snort_download_rules.php: [Snort] Snort VRT rules file update downloaded successfully
                Dec 20 14:43:02 php: /snort/snort_download_rules.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2970.tar.gz…

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @Supermule:

                  Getting this in the rules…

                  Dec 20 14:51:17 snort[58337]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31344_em0/rules/snort.rules(2979) Unknown rule option: 'ssl_version'.
                  Dec 20 14:51:16 SnortStartup[58055]: Snort START for WAN(31344_em0)…
                  Dec 20 14:45:03 check_reload_status: Syncing firewall
                  Dec 20 14:45:02 php: /snort/snort_download_rules.php: [Snort] The Rules update has finished.
                  Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Building new sig-msg.map file for WAN…
                  Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] See '/var/log/snort/WAN_disabled_preproc_rules.log' for list of auto-disabled rules.
                  Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Warning: auto-disabled 146 rules due to disabled preprocessor dependencies.
                  Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Checking flowbit rules dependent on disabled preprocessors for: WAN…
                  Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Enabling any flowbit-required rules for: WAN…
                  Dec 20 14:45:00 php: /snort/snort_download_rules.php: [Snort] See '/var/log/snort/WAN_disabled_preproc_rules.log' for list of auto-disabled rules.
                  Dec 20 14:45:00 php: /snort/snort_download_rules.php: [Snort] Warning: auto-disabled 2000 rules due to disabled preprocessor dependencies.
                  Dec 20 14:44:51 php: /snort/snort_download_rules.php: [Snort] Checking for rules dependent on disabled preprocessors for: WAN…
                  Dec 20 14:44:46 php: /snort/snort_download_rules.php: [Snort] Updating rules configuration for: WAN …
                  Dec 20 14:44:40 php: /snort/snort_download_rules.php: [Snort] Emerging Threats Open rules file update downloaded successfullyi
                  Dec 20 14:44:38 php: /snort/snort_download_rules.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
                  Dec 20 14:44:37 php: /snort/snort_download_rules.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
                  Dec 20 14:44:34 php: /snort/snort_download_rules.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz…
                  Dec 20 14:44:34 php: /snort/snort_download_rules.php: [Snort] Snort VRT rules file update downloaded successfully
                  Dec 20 14:43:02 php: /snort/snort_download_rules.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2970.tar.gz…

                  SSL preprocessor is likely disabled.  It is on the PREPROCESSORS tab in the General Preprocessors section down near the bottom of the page.

                  Anytime you see an unknown rule option error message, that likely means a needed preproc is disabled.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • RonpfSR
                    RonpfS
                    last edited by

                    Just to let you know that when I upgraded from Snort 2.9.6.2 pkg v3.1.5 to Snort 2.9.7.0 pkg v3.2.1 using the Reinstall Snort package button.

                    I got this:

                    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
                    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
                    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_smtp_preproc file. Snort might error out!
                    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ssl_preproc file. Snort might error out!
                    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_sip_preproc file. Snort might error out!
                    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_gtp_preproc file. Snort might error out!
                    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ssh_preproc file. Snort might error out!
                    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_dce2_preproc file. Snort might error out!
                    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_dns_preproc file. Snort might error out!
                    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_pop_preproc file. Snort might error out!
                    2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!

                    Snort was running.
                    I stopped it and re-started it without any issues.

                    2.4.5-RELEASE-p1 (amd64)
                    Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                    Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                    1 Reply Last reply Reply Quote 0
                    • S
                      Supermule Banned
                      last edited by

                      Preproc was ENABLED….

                      Disabled it and Snort started with no issues. I believe there is an error in the rule.

                      @bmeeks:

                      @Supermule:

                      Getting this in the rules…

                      Dec 20 14:51:17 snort[58337]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31344_em0/rules/snort.rules(2979) Unknown rule option: 'ssl_version'.
                      Dec 20 14:51:16 SnortStartup[58055]: Snort START for WAN(31344_em0)…
                      Dec 20 14:45:03 check_reload_status: Syncing firewall
                      Dec 20 14:45:02 php: /snort/snort_download_rules.php: [Snort] The Rules update has finished.
                      Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Building new sig-msg.map file for WAN…
                      Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] See '/var/log/snort/WAN_disabled_preproc_rules.log' for list of auto-disabled rules.
                      Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Warning: auto-disabled 146 rules due to disabled preprocessor dependencies.
                      Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Checking flowbit rules dependent on disabled preprocessors for: WAN…
                      Dec 20 14:45:01 php: /snort/snort_download_rules.php: [Snort] Enabling any flowbit-required rules for: WAN…
                      Dec 20 14:45:00 php: /snort/snort_download_rules.php: [Snort] See '/var/log/snort/WAN_disabled_preproc_rules.log' for list of auto-disabled rules.
                      Dec 20 14:45:00 php: /snort/snort_download_rules.php: [Snort] Warning: auto-disabled 2000 rules due to disabled preprocessor dependencies.
                      Dec 20 14:44:51 php: /snort/snort_download_rules.php: [Snort] Checking for rules dependent on disabled preprocessors for: WAN…
                      Dec 20 14:44:46 php: /snort/snort_download_rules.php: [Snort] Updating rules configuration for: WAN …
                      Dec 20 14:44:40 php: /snort/snort_download_rules.php: [Snort] Emerging Threats Open rules file update downloaded successfullyi
                      Dec 20 14:44:38 php: /snort/snort_download_rules.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
                      Dec 20 14:44:37 php: /snort/snort_download_rules.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
                      Dec 20 14:44:34 php: /snort/snort_download_rules.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz…
                      Dec 20 14:44:34 php: /snort/snort_download_rules.php: [Snort] Snort VRT rules file update downloaded successfully
                      Dec 20 14:43:02 php: /snort/snort_download_rules.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2970.tar.gz…

                      SSL preprocessor is likely disabled.  It is on the PREPROCESSORS tab in the General Preprocessors section down near the bottom of the page.

                      Anytime you see an unknown rule option error message, that likely means a needed preproc is disabled.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        @RonpfS:

                        Just to let you know that when I upgraded from Snort 2.9.6.2 pkg v3.1.5 to Snort 2.9.7.0 pkg v3.2.1 using the Reinstall Snort package button.

                        I got this:

                        2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
                        2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
                        2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_smtp_preproc file. Snort might error out!
                        2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ssl_preproc file. Snort might error out!
                        2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_sip_preproc file. Snort might error out!
                        2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_gtp_preproc file. Snort might error out!
                        2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ssh_preproc file. Snort might error out!
                        2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_dce2_preproc file. Snort might error out!
                        2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_dns_preproc file. Snort might error out!
                        2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_pop_preproc file. Snort might error out!
                        2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!

                        Snort was running.
                        I stopped it and re-started it without any issues.

                        This binary version of Snort changes the directory name where the preproc libraries are stored.  The snort.conf file has to be updated with the new name (and the new directory has to be created and populated).  That should have happened automatically prior to Snort startup on your box, but if you got errors then for some reason it did not.  Stopping and then manually restarting via the START/STOP icons will forcibly create the new snort.conf file.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • RonpfSR
                          RonpfS
                          last edited by

                          Oups i forgot to include a few lines above:

                          2014-12-21 14:43:39 User.Error 172.24.xx.yyy Dec 21 14:43:39 php: /pkg_mgr_install.php: [Snort] Finished rebuilding installation from saved settings…
                          2014-12-21 14:43:39 Daemon.Info 172.24.xx.yyy Dec 21 14:43:39 SnortStartup[5089]: Snort START for Wan Snort(18203_pppoe1)…

                          2014-12-21 14:44:07  User.Error  172.24.xx.yyy  Dec 21 14:44:07 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
                          ...
                          2014-12-21 14:44:07  User.Error  172.24.xx.yyy  Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!

                          2014-12-21 14:49:37 Daemon.Error 172.24.xx.yyy Dec 21 14:49:37 snort[15120]: *** Caught Term-Signal
                          2014-12-21 14:49:37 Kernel.Info 172.24.xx.yyy Dec 21 14:49:37 kernel: pppoe1: promiscuous mode disabled
                          2014-12-21 14:49:45 User.Error 172.24.xx.yyy Dec 21 14:49:45 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(pppoe1)…
                          2014-12-21 14:49:45 User.Error 172.24.xx.yyy Dec 21 14:49:45 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
                          2014-12-21 14:50:00 Cron.Info 172.24.xx.yyy Dec 21 14:50:00 /usr/sbin/cron[71660]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc)
                          2014-12-21 14:50:06 User.Error 172.24.xx.yyy Dec 21 14:50:06 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
                          2014-12-21 14:50:08 User.Error 172.24.xx.yyy Dec 21 14:50:08 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
                          2014-12-21 14:50:11 User.Error 172.24.xx.yyy Dec 21 14:50:11 php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(pppoe1)…
                          2014-12-21 14:50:34 Kernel.Info 172.24.xx.yyy Dec 21 14:50:34 kernel: pppoe1: promiscuous mode enabled

                          So no problem after a stopping and restarting Snort. :-)

                          2.4.5-RELEASE-p1 (amd64)
                          Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                          Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                          1 Reply Last reply Reply Quote 0
                          • S
                            Supermule Banned
                            last edited by

                            I get this after update

                            I whitelist an IP range in aliases but Snort still blocks it…

                            snort_alert_whitelistedIP.PNG
                            snort_alert_whitelistedIP.PNG_thumb
                            firewall_whitelist_alias.PNG
                            firewall_whitelist_alias.PNG_thumb

                            1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks
                              last edited by

                              @Supermule:

                              I get this after update

                              I whitelist an IP range in aliases but Snort still blocks it…

                              Where is that IP range included in the Pass List for the interface?  Check on the INTERFACE SETTINGS tab for that interface and verify the IP range is showing up when you click View List beside the PASS LIST drop-down box. Simply calling an Alias "whitelist" is not sufficient.  You must assign the alias to a Pass List, then assign that Pass List to an interface and finally restart the interface for the whitelist to become effective.

                              Bill

                              1 Reply Last reply Reply Quote 0
                              • S
                                Supermule Banned
                                last edited by

                                I have :(

                                pass_list.PNG
                                pass_list.PNG_thumb

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks
                                  last edited by

                                  @Supermule:

                                  I have :(

                                  No changes at all were made to anything related to the PASS LIST logic (neither in the GUI code nor in the binary).  Did this just start recently?  Is this a new IP alias recently added?  Can you try defining it as 81.19.246.0/26 instead of as 81.19.246.1/26?

                                  Bill

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Supermule Banned
                                    last edited by

                                    Yes I will try that. :)

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      chasba
                                      last edited by

                                      Hi,

                                      After enabling OpenAppID on my snort install, I'm seeing the following messages in System Logs:

                                      
                                      Jan 1 12:05:39	snort[9245]: AppInfo: AppId 3861 is UNKNOWN
                                      Jan 1 10:10:00	snort[55346]: invalid appid in appStatRecord (367)
                                      Jan 1 09:30:00	snort[55346]: invalid appid in appStatRecord (502)
                                      Jan 1 09:20:00	snort[55346]: invalid appid in appStatRecord (502)
                                      Jan 1 09:15:00	snort[55346]: invalid appid in appStatRecord (502)
                                      Jan 1 09:10:00	snort[55346]: invalid appid in appStatRecord (367)
                                      Jan 1 09:10:00	snort[55346]: invalid appid in appStatRecord (367)
                                      Jan 1 09:05:00	snort[55346]: invalid appid in appStatRecord (367)
                                      Jan 1 03:35:00	snort[55346]: invalid appid in appStatRecord (502)
                                      Dec 31 23:10:00	snort[95021]: invalid appid in appStatRecord (186)
                                      Dec 31 22:59:35	snort[95021]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
                                      Dec 31 10:33:11	snort[61151]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
                                      Dec 30 20:36:51	snort[42521]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
                                      
                                      

                                      Hoping to get some help with these messages. :)

                                      I'm running 2.1.5-RELEASE (amd64) with snort 2.9.7.0 pkg v3.2.1. All rule sets are up to date.

                                      Thanks!

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB
                                        bmeeks
                                        last edited by

                                        @chasba:

                                        Hi,

                                        After enabling OpenAppID on my snort install, I'm seeing the following messages in System Logs:

                                        
                                        Jan 1 12:05:39	snort[9245]: AppInfo: AppId 3861 is UNKNOWN
                                        Jan 1 10:10:00	snort[55346]: invalid appid in appStatRecord (367)
                                        Jan 1 09:30:00	snort[55346]: invalid appid in appStatRecord (502)
                                        Jan 1 09:20:00	snort[55346]: invalid appid in appStatRecord (502)
                                        Jan 1 09:15:00	snort[55346]: invalid appid in appStatRecord (502)
                                        Jan 1 09:10:00	snort[55346]: invalid appid in appStatRecord (367)
                                        Jan 1 09:10:00	snort[55346]: invalid appid in appStatRecord (367)
                                        Jan 1 09:05:00	snort[55346]: invalid appid in appStatRecord (367)
                                        Jan 1 03:35:00	snort[55346]: invalid appid in appStatRecord (502)
                                        Dec 31 23:10:00	snort[95021]: invalid appid in appStatRecord (186)
                                        Dec 31 22:59:35	snort[95021]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
                                        Dec 31 10:33:11	snort[61151]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
                                        Dec 30 20:36:51	snort[42521]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
                                        
                                        

                                        Hoping to get some help with these messages. :)

                                        I'm running 2.1.5-RELEASE (amd64) with snort 2.9.7.0 pkg v3.2.1. All rule sets are up to date.

                                        Thanks!

                                        I suspect these are errors within the OpenAppID detector scripts themselves.  They would have come down via the latest update to those scripts (which happens on the same schedule as other rule updates).  Try searching the Snort mailing list via Google or posting on the list to see if others have the same issue.  There are sometimes syntax errors that creep into the rules as the authors are sometimes working fast and furious to get them out there.

                                        Bill

                                        1 Reply Last reply Reply Quote 0
                                        • V
                                          val
                                          last edited by

                                          @bmeeks:

                                          @chasba:

                                          Hi,

                                          After enabling OpenAppID on my snort install, I'm seeing the following messages in System Logs:

                                          
                                          Jan 1 12:05:39	snort[9245]: AppInfo: AppId 3861 is UNKNOWN
                                          Jan 1 10:10:00	snort[55346]: invalid appid in appStatRecord (367)
                                          Jan 1 09:30:00	snort[55346]: invalid appid in appStatRecord (502)
                                          Jan 1 09:20:00	snort[55346]: invalid appid in appStatRecord (502)
                                          Jan 1 09:15:00	snort[55346]: invalid appid in appStatRecord (502)
                                          Jan 1 09:10:00	snort[55346]: invalid appid in appStatRecord (367)
                                          Jan 1 09:10:00	snort[55346]: invalid appid in appStatRecord (367)
                                          Jan 1 09:05:00	snort[55346]: invalid appid in appStatRecord (367)
                                          Jan 1 03:35:00	snort[55346]: invalid appid in appStatRecord (502)
                                          Dec 31 23:10:00	snort[95021]: invalid appid in appStatRecord (186)
                                          Dec 31 22:59:35	snort[95021]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
                                          Dec 31 10:33:11	snort[61151]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
                                          Dec 30 20:36:51	snort[42521]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)
                                          
                                          

                                          Hoping to get some help with these messages. :)

                                          I'm running 2.1.5-RELEASE (amd64) with snort 2.9.7.0 pkg v3.2.1. All rule sets are up to date.

                                          Thanks!

                                          I suspect these are errors within the OpenAppID detector scripts themselves.  They would have come down via the latest update to those scripts (which happens on the same schedule as other rule updates).  Try searching the Snort mailing list via Google or posting on the list to see if others have the same issue.  There are sometimes syntax errors that creep into the rules as the authors are sometimes working fast and furious to get them out there.

                                          Bill

                                          I am also seeing lots those type of error in my system log.

                                          
                                          Jan 1 17:45:02	snort[70325]: invalid appid in appStatRecord (186)
                                          Jan 1 17:40:00	snort[70325]: invalid appid in appStatRecord (1603)
                                          Jan 1 17:40:00	snort[52449]: invalid appid in appStatRecord (1603)
                                          Jan 1 17:29:50	snort[70325]: Add service failed to create state
                                          Jan 1 17:29:50	snort[70325]: Failed to add to hash: 192.168.2.1:17:67
                                          Jan 1 17:28:42	snort[70325]: Add service failed to create state
                                          Jan 1 17:28:42	snort[70325]: Failed to add to hash: 192.168.2.1:17:67
                                          Jan 1 17:25:04	snort[70325]: Add service failed to create state
                                          Jan 1 17:25:04	snort[70325]: Failed to add to hash: 192.168.2.1:17:67
                                          Jan 1 17:10:01	snort[52449]: invalid appid in appStatRecord (186)
                                          Jan 1 17:10:01	snort[70325]: invalid appid in appStatRecord (186)
                                          Jan 1 17:09:53	snort[70325]: Add service failed to create state
                                          Jan 1 17:09:53	snort[70325]: Failed to add to hash: 192.168.2.1:17:67
                                          Jan 1 17:05:01	snort[52449]: invalid appid in appStatRecord (186)
                                          Jan 1 17:05:01	snort[70325]: invalid appid in appStatRecord (186)
                                          Jan 1 17:00:00	snort[70325]: invalid appid in appStatRecord (1603)
                                          Jan 1 17:00:00	snort[52449]: invalid appid in appStatRecord (1603)
                                          
                                          

                                          Intel Xeon E3-1225 V2 @ 3.20Ghz
                                          Intel S1200KPR server board mini-ITX
                                          A-data ECC 4GB x 2 1600MHz
                                          Intel Ethernet Server Adapter I350-T2
                                          Samsung 840 Pro 120GB
                                          Lian-Li PC-Q15B

                                          1 Reply Last reply Reply Quote 0
                                          • T
                                            TieT
                                            last edited by

                                            I'm getting the same errors on the App ID

                                            Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 740 is UNKNOWN
                                            Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 740 is UNKNOWN
                                            Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 3861 is UNKNOWN
                                            Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 3885 is UNKNOWN
                                            Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 699 is UNKNOWN

                                            Jan 12 12:06:41 fw1 check_reload_status: Syncing firewall
                                            Jan 12 17:45:00 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 17:45:00 fw1 snort[21362]: invalid appid in appStatRecord (2734)
                                            Jan 12 17:45:00 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 17:45:00 fw1 snort[26114]: invalid appid in appStatRecord (2734)
                                            Jan 12 18:10:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 18:10:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 18:15:02 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 18:15:02 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 18:20:16 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 18:20:16 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 18:25:10 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 18:25:10 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 18:35:01 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 18:35:01 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 18:40:02 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 18:40:02 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 18:45:00 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 18:45:00 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 19:00:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 19:00:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 19:05:04 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 19:05:04 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 19:15:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 19:15:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 19:45:05 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 19:45:05 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 19:50:11 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 19:50:15 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 19:55:13 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 19:55:13 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 20:02:29 fw1 snort[26114]: invalid appid in appStatRecord (502)
                                            Jan 12 20:04:38 fw1 snort[21362]: invalid appid in appStatRecord (502)
                                            Jan 12 22:20:02 fw1 snort[21362]: invalid appid in appStatRecord (2734)
                                            Jan 12 22:20:02 fw1 snort[26114]: invalid appid in appStatRecord (2734)
                                            Jan 12 22:30:04 fw1 snort[26114]: invalid appid in appStatRecord (186)
                                            Jan 12 22:30:04 fw1 snort[21362]: invalid appid in appStatRecord (186)
                                            Jan 13 10:00:01 fw1 snort[58024]: invalid appid in appStatRecord (3885)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.