Snot fail to start when appid activated.



  • 2.2.2-RELEASE (amd64)
    Snort 3.2.4

    file
    /usr/local/pkg/snort/snot_generate_conf.php : line 897
    $appid_memcap = $snortcfg['sf_appid_mem_cap'] * 1024 * 1024
    should be
    $appid_memcap = $snortcfg['sf_appid_mem_cap']
    (no conversion to bytes) expected value is in mb

    otherwise snort will not start and give error.



  • What did you type into the text field on the PREPROCESSORS tab?  According to the README.appid file included with the Snort source code, the value for memcap is in bytes.

    Here is the information from the file –

    
    Option                  Argument             Required  Default
    app_detector_dir        <directory>No        /usr/local/etc/appid
    app_stats_filename      <filename>No        NULL
    app_stats_period        <time in="" seconds="">No        300 seconds
    app_stats_rollover_size <disk size="" in="" bytes="">No        20 MB
    app_stats_rollover_time <time in="" seconds="">No        1 day
    memcap                  <memory limit="" bytes="">No        256MB       
    debug                   <"yes">              No        disabled
    dump_ports              No                   No        disabled
    
    preprocessor appid :\
                < app_detector_dir <directory>>, \
                < app_stats_filename <file name="">>, \
                < app_stats_period <time in="" seconds="">>, \
                < app_stats_rollover_size <disk size="" in="" bytes="">>, \
                < app_stats_rollover_time <time in="" seconds="">>, \
                < memcap <memory limit="" in="" bytes="">>, \
                < debug <"yes">>, \
                < dump_ports ></memory></time></disk></time></file></directory></memory></time></disk></time></filename></directory> 
    

    Bill



  • I used default value 256.

    This the message of the snort.
    (it is checking sanity of the parameters)
    from a message it is expecting value in mb not in bytes.

    snort[38760]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_20629_igb0/snort.conf(402) => Value specified for memcap is out of bounds. Please specify an integer between 1 and 4095.

    as a result :

    php-fpm[95291]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 20629 -D -l /var/log/snort/snort_igb020629 –pid-path /var/run --nolock-pidfile -G 20629 -c /usr/pbi/snort-amd64/etc/snort/snort_20629_igb0/snort.conf -i igb0' returned exit code '1', the output was ''



  • @student_pv:

    I used default value 256.

    This the message of the snort.
    (it is checking sanity of the parameters)
    from a message it is expecting value in mb not in bytes.

    snort[38760]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_20629_igb0/snort.conf(402) => Value specified for memcap is out of bounds. Please specify an integer between 1 and 4095.

    as a result :

    php-fpm[95291]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 20629 -D -l /var/log/snort/snort_igb020629 –pid-path /var/run --nolock-pidfile -G 20629 -c /usr/pbi/snort-amd64/etc/snort/snort_20629_igb0/snort.conf -i igb0' returned exit code '1', the output was ''

    I'm not currently using OpenAppID in my production firewall, so I will need to test this in a virtual machine to see if I can reproduce.  So far as I know, no other users have complained about this, though.  I think there are some other folks using OpenAppID.

    Bill



  • I installed Snort on a VM and OpenAppID worked fine.  It started with the default settings of "256" in the mem cap field.  Here is the resulting snort.conf file:

    
    # AppID preprocessor #
    preprocessor appid: \
    	app_detector_dir /usr/pbi/snort-amd64/etc/snort/appid, \
    	memcap 268435456, \
    	app_stats_filename app-stats.log, \
    	app_stats_period 300, \
    	app_stats_rollover_size 1024000, \
    	app_stats_rollover_time 86400
    
    

    Please post the contents of the AppID preprocessor section from your snort.conf file.  You can find it in /usr/pbi/snort-amd64/etc/snort/snort_{uuid}{if}.

    Bill



  • Snort version:

    ,,_    -> Snort! <-
      o"  )~  Version 2.9.7.2 GRE (Build 177) FreeBSD
      ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
              Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
              Copyright (C) 1998-2013 Sourcefire, Inc., et al.
              Using libpcap version 1.6.2
              Using PCRE version: 8.35 2014-04-04
              Using ZLIB version: 1.2.8

    OS version:
    10.1-RELEASE-p9

    Can't attach config file. Server error:
    500 Internal Server Error

    The attached file is snort.7z file renamed into snort.txt

    snort.txt



  • I think I found what happens.

    1. I checked source code for appid : no messages with the structure like :  Value specified for % is out of bounds. Please specify an integer between % and %.
    2. source code uses value from config file directly no conversion so value indeed must be in bytes.
    3. Message with structure : Value specified for % is out of bounds. Please specify an integer between % and %. Exist in reputation code

    if (value < MIN_MEMCAP || value > MAX_MEMCAP)
                {
                    DynamicPreprocessorFatalMessage(" %s(%d) => Value specified for %s is out of "
                            "bounds.  Please specify an integer between %d and %d.\n",
                            *(_dpd.config_file), *(_dpd.config_line),
                            REPUTATION_MEMCAP_KEYWORD, MIN_MEMCAP, MAX_MEMCAP);
                }
                config->memcap = (uint32_t) value;


    1. Reputation config in snort.conf file

    IP Reputation preprocessor

    preprocessor reputation:
    memcap 500,
    priority whitelist,
    nested_ip inner,
    white unblack, \ <- look at this line it is last line but it is have a back slash -> so pre-processor continue to read next string as a one big string.

    1. After reputation config there is appId config. All appid config get appended to reputation config because of the back slash.
    2. reputation config check value for the memcap which is in bytes but value is mush bigger than 1 to 4065 so it is generating error.
    3. line $appid_memcap = $snortcfg['sf_appid_mem_cap'] * 1024 * 1024 is correct.
      8 ) some where the is another bug.


  • Ah-ha!  Thanks for that detailed report and analysis.  There may indeed be a problem where the IP Reputation config string is created.  The code tries to be smart and add the backslash only where needed and there is a continuation line.  It may be getting tripped up, though, in some situations.  I will look into it.

    Bill



  • Follow-up –-

    I found where this can happen in the code if you have IP REPUTATION enabled but have no IP list files defined.  So to stop the error, disable IP REP if you do not have IP LISTS defined and in use.  Otherwise, add at least one IP LIST file on the IP REP tab of Snort.  I will put in a fix for this in the next update, but for now I think either of the two things I mentioned should suffice as a workaround.  If not, please report back and let me know.

    Bill

    Edit:  fixed typo in response.



  • Thank you Bill.
    Disabled reputation and snort started.

    PV.