[Snort-devel] A couple of bugs in snort v2.0.0

Martin Olsson elof at ...969...
Fri May 2 08:48:45 EDT 2003


Hi. I've discovered a couple of bugs in snort v2.0.0 (build 72).

===== 1. Logdir must be specified on the commandline ====================

In my snort.conf I have specified:
  config logdir: /usr/sentor/log

When I run 'snort -c /usr/sentor/etc/snort.conf -T' I get:
  Running in IDS mode
  Log directory = /var/log/snort
  ERROR:
  [!] ERROR: Can not get write access to logging directory "/var/log/snort".
  (directory doesn't exist or permissions are set incorrectly
  or it is not a directory at all)
  Fatal Error, Quitting..

Apparently the 'config logdir' had no effect. In order to make snort start
you have to specify the logdir on the commandline.
'snort -c /usr/sentor/etc/snort.conf -l /usr/sentor/log -T':
  Running in IDS mode
  Log directory = /usr/sentor/log
  Initializing Network Interface ed1
  ...



===== 2. "config interface" is ignored at startup =======================

In my snort.conf I have specified:
  config interface: bge1

When I run 'snort -c /usr/sentor/etc/snort.conf -l /usr/sentor/log -T' I
get:
  Running in IDS mode
  Log directory = /usr/sentor/log
  Initializing Network Interface ed1   <----------------- ed1
        --== Initializing Snort ==--
  Initializing Output Plugins!
  Decoding Ethernet on interface ed1
  Initializing Preprocessors!
  Initializing Plug-ins!
  Parsing Rules file /usr/sentor/etc/snort.conf
  +++++++++++++++++++++++++++++++++++++++++++++++++++
  Initializing rule chains...
  Found logdir config directive (/usr/sentor/log)
  Initializing Network Interface bge1   <---------------- bge1
  ...

Snort shouldn't initialize ed1 at startup.



===== 3. Variables not expanded within {} ===============================

In my snort.conf I have specified:
  ...
  var SENSOR_NAME flash-01
  var DB_USER snort
  var DB_PASSWORD foo
  var DB_NAME gazonk
  var DB_HOST 10.0.0.50
  ...
  output database: log, mysql, user=$DB_USER password=$DB_PASSWORD dbname=$DB_NAME host=$DB_HOST sensor_name=$SENSOR_NAME
  ruletype bar
  {
    type alert
    output database: log, mysql, user=$DB_USER password=$DB_PASSWORD dbname=$DB_NAME host=$DB_HOST sensor_name=$SENSOR_NAME
  }
  ...

When I run 'snort -c /usr/sentor/etc/snort.conf -l /usr/sentor/log -T' the
output on stderr is terminated instead of showing me an errormessage.
  Running in IDS mode
  Log directory = /usr/sentor/log
  Initializing Network Interface ed1
        --== Initializing Snort ==--
  Initializing Output Plugins!
  Decoding Ethernet on interface ed1
  Initializing Preprocessors!
  Initializing Plug-ins!
  Parsing Rules file /usr/sentor/etc/snort.conf
  +++++++++++++++++++++++++++++++++++++++++++++++++++
  Initializing rule chains...
  Initializing Network Interface ed1      <--- this is the last output

Meanwhile syslogd has logged this:
  snort: FATAL ERROR: database: mysql_error: Unknown MySQL Server Host '$DB_HOST' (0)

The variables in the first "output database"-line in snort.conf was
expanded and parsed correctly. The error above is triggered by the second
instance of "output database", the one within the ruletype declaration.
Apparently variables aren't expanded within curly brackets ({}).



===== 4. log_tcpdump filename ===========================================

In my snort.conf I have specified:
  output log_tcpdump: snort.tcpdump

Snort v2.0.0 adds a timestamp to the filename. I don't want this
suffix, so it would be nice if it was configurable.

snort.tcpdump.1051866283   <--- I don't want this suffix
snort.tcpdump.1051866372
snort.tcpdump.1051866563
snort.tcpdump.1051866564
snort.tcpdump.1051866837
snort.tcpdump.1051868213
snort.tcpdump.1051870953



===== 5. config daemon ==================================================

In my snort.conf I have specified:
  config daemon

When I run 'snort -c /usr/sentor/etc/snort.conf -l /usr/sentor/log' it
runs in the foreground, ignoring the "config daemon" directive in
snort.conf. I have to execute 'snort -c /usr/sentor/etc/snort.conf -l
/usr/sentor/log -D' in order to daemonize the process.





Other notes:

===== A. References to the snmp-plugin ==================================
In various online and offline manuals, readme-files and the configure-help
there are references to the snmp-plugin. This plugin is currently
missing in snort v2.0.0... Confusing. :-)



===== B. Database configuration information =============================

When starting snort v1.9.x in test-mode you get a section of database
configuration. Snort v2.0.0 does not give this information. Why?

Output from snort v1.9.1:
  Portscan2 config:
    log: /usr/sentor/log/.snort-chobetsu-01.d/snort.portscan
    scanners_max: 3200
    targets_max: 5000
    target_limit: 25
    port_limit: 100
    timeout: 60
  database: compiled support for ( mysql )   <--- I
  database: configured to use mysql          <--- miss
  database:          user = snort            <--- this
  database: password is set                  <--- info
  database: database name = gazonk           <--- in
  database:          host = 10.0.0.50        <--- snort
  database:   sensor name = flash-01         <--- version
  database:     sensor id = 1                <--- 2.0.0
  database: schema version = 106             <---
  database: using the "log" facility         <---
  1185 Snort rules read...
  1185 Option Chains linked into 120 Chain Headers



===== C. Chroot and uid configuration ===================================

The online (HTML and PDF) manual for snort v1.9.x listed these two config
parameters:
  config chroot
  config set_uid

In the new manual for snort v2.0.0 they are missing. Is it not possible to
configure the chroot and uid via snort.conf, or is it just the new manual
that needs to be updated?



===== D. Tcpdump-file automaticly removed ===============================

When I start snort v2.0.0, three files are created in my logdir:
  snort.alert
  snort.portscan
  snort.tcpdump.123456

All three files is 0 bytes in size. If I kill the snort process the file
snort.tcpdump.123456 will disappear while the other two remain there
(still 0 bytes of size). If I wait until something has been logged to
snort.tcpdump.123456 and then kill the process, the file isn't removed.

I can understand that someone has added the functionality to automaticly
remove the tcpdump-logfile if it is empty when snort exits, but
then shouldn't all other 0-byte logfiles be removed in order to be
consistent?



My environment:
o  Snort v2.0.0 (build 72)
o  Compiled and executed on FreeBSD 4.7 (x86)
o  MySQL v3.23.49 support included



Regards,
Martin Olsson
Sentor AB, Sweden





More information about the Snort-devel mailing list