[Snort-devel] Snort 2.8.2.1 Now Available

Todd Wease twease at ...402...
Mon Jul 28 14:55:21 EDT 2008


Hi Christian,

The problem is that the pass rules don't have an sid associated with 
each.  What is actually happening is that the first pass rule is being 
registered with Snort, but the rest are not (the count in the startup 
output doesn't account for this failure).  This is because the hash 
table used to store the rules uses a gid/sid pair as the hash key. 
Rules without an sid are effectively given an sid of 0 for processing so 
when an attempt to insert another pass rule (without an sid) into the 
hash table is done, it returns that we already have an entry in the 
table and it doesn't get inserted.  The bug here is that Snort is _not_ 
checking the return value and not warning the user about the failure. 
We are planning to fix this in the 2.8.3 release and will fatal error on 
this condition.

Just add unique sids to your pass rules and things should work as 
expected (let us know if they don't).  Thanks again for posting the problem.

Todd

christian mock wrote:
> On Wed, Jul 23, 2008 at 01:13:31PM -0400, Steven Sturges wrote:
> 
>> Can you send us relevant parts of your configuration?
> 
> see below.
> 
>> How are your prioritizing rules?  Priority?  Use of
>> -o flag (or other command-line switches)?
> 
> I have no special priority setting, and tried both "-o" (until I discovered
> it is disabled in the source) and "config order: pass alert log". syslog
> says the ordering settings are applied (e.g. "Rule application order: 
> activation->dynamic->pass->drop->alert->log ").
> 
>> When you say "pass rules in front", what do you mean?
> 
> I'm using the following rules:
> 
> pass udp $HOME_NET any -> $HOME_NET 161
> pass icmp 62.116.68.33/32 any -> $HOME_NET any
> pass icmp any any -> 62.116.68.35/32 any
> pass tcp 62.116.68.34/32 873 <> 62.116.68.38/32 any
> pass icmp 192.168.1.128 any -> any any
> pass udp any any -> 192.168.1.1 53
> alert icmp any any -> any any (msg:"ICMP"; sid:1234567; rev:1;)
> alert udp any any -> any 53 (msg:"DNS"; sid:1234568; rev:1;)
> 
> I do a DNS lookup and a ping from 192.168.1.128 to 192.168.1.1, and I get:
> 
> 07/24-12:04:39.037287  [**] [1:1234568:1] DNS [**] [Priority: 0] {UDP} 192.168.1.128:36850 -> 192.168.1.1:53
> 07/24-12:04:39.038440  [**] [1:1234567:1] ICMP [**] [Priority: 0] {ICMP} 192.168.1.128 -> 192.168.1.1
> 
> Both should be passed by rules #5 and #6. When I delete rules #1-#4, 
> it works as expected. When I reorder the rules, it also works:
> 
> pass icmp 192.168.1.128 any -> any any
> pass udp any any -> 192.168.1.1 53
> pass udp $HOME_NET any -> $HOME_NET 161
> pass icmp 62.116.68.33/32 any -> $HOME_NET any
> pass icmp any any -> 62.116.68.35/32 any
> pass tcp 62.116.68.34/32 873 <> 62.116.68.38/32 any
> alert icmp any any -> any any (msg:"ICMP"; sid:1234567; rev:1;)
> alert udp any any -> any 53 (msg:"DNS"; sid:1234568; rev:1;)
> 
> I attach the snort.conf I'm using which is derived from the distributed
> version with the necessary adaptations.
> 
> Let me know if I can help with more info,
> 
> cm.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list