[Snort-devel] Snort3 IPS questions, issues, and requests

Noah Dietrich noah_dietrich at 86penny.org
Thu Nov 23 00:12:46 EST 2017


Hi Russ,

Regarding the segfault, after a little further testing the issue appears to
occur whenever you don't use all lowercase for your rule options (msg, gid,
sid, et cetera).

for example, this rule works:
     alert icmp any any -> $HOME_NET any (msg:"ICMP test detected";
sid:10000001; rev:001; gid:1; classtype:icmp-event;)
but any of the following throw a segfault:
     alert icmp any any -> $HOME_NET any (msg:"ICMP test detected";
sid:10000001; rev:001; GID:1; classtype:icmp-event;)
     alert icmp any any -> $HOME_NET any (msg:"ICMP test detected";
Sid:10000001;
rev:001; gid:1; classtype:icmp-event;)
     alert icmp any any -> $HOME_NET any (Msg:"ICMP test detected";
sid:10000001; rev:001; gid:1; classtype:icmp-event;)

let me know if you need more information.  my configuration and output is
below.
Thanks,
noah

Details of my configuration:

snort3 build 240 on Ubuntu 16 x64 with all the additional software
installed (let me know if I've missed any optional software packages):
noah at snort3:/etc/snort$ /bin/snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0 (Build 240) from 2.9.8-383
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights
reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 2.2.2
           Using LuaJIT version 2.0.4
           Using OpenSSL 1.0.2g  1 Mar 2016
           Using libpcap version 1.7.4
           Using PCRE version 8.38 2015-11-23
           Using ZLIB version 1.2.8
           Using FlatBuffers 1.7.0
           Using Hyperscan version 4.6.0 2017-11-18
           Using LZMA version 5.1.0alpha

*Files used:*
noah at snort3:/etc/snort$ tree
.
├── builtin_rules
├── file_magic.lua
├── lists
├── rules
│   ├── ips.include
│   ├── local.rules
│   ├── sid-msg.map
│   └── snort3-community.rules
├── snort_defaults.lua
├── snort.lua
└── so_rules

*# snort_defaults.lua *(relevant sections):

---------------------------------------------------------------------------
-- default paths
---------------------------------------------------------------------------
-- Path to your rules files (this can be a relative path)

RULE_PATH = '/etc/snort/rules'
BUILTIN_RULE_PATH = '/etc/snort/builtin_rules'
PLUGIN_RULE_PATH = '/etc/snort/so_rules'

-- If you are using reputation preprocessor set these
WHITE_LIST_PATH = '/etc/snort/lists'
BLACK_LIST_PATH = '/etc/snort/lists'

*# snort.lua *(relevant sections)
---------------------------------------------------------------------------
-- 2. configure defaults
---------------------------------------------------------------------------

-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting
HOME_NET = '10.0.0.0/24'

-- set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = 'any'

dofile(conf_dir .. '/snort_defaults.lua')
dofile(conf_dir .. '/file_magic.lua')

appid =
{
    -- appid requires this to use appids in rules
    app_detector_dir = '/lib',
    log_stats = true,
}

ips =
{
    -- use this to enable decoder and inspector alerts
    -- enable_builtin_rules = true,

    -- use include for rules files; be sure to set your path
    -- note that rules files can include other rules files
    --include = 'snort3_community.rules'
    include = RULE_PATH .. '/ips.include',
}


*# ips.include*
#include rules/snort3-community.rules
include rules/local.rules

*# local.rules*
alert icmp any any -> $HOME_NET any (msg:"ICMP test detected";
sid:10000001; rev:001; GID:1; classtype:icmp-event;)

*# Running Snort (and getting segfault):*
noah at snort3:/etc/snort$ sudo /bin/snort -c /etc/snort/snort.lua --warn-all
--------------------------------------------------
o")~   Snort++ 3.0.0-240
--------------------------------------------------
Loading /etc/snort/snort.lua:
ssh
pop
binder
stream_tcp
gtp_inspect
dce_http_proxy
stream_icmp
normalizer
ftp_server
stream_udp
modbus
ips
ssl
latency
wizard
appid
file_id
ftp_data
back_orifice
smtp
port_scan
dce_http_server
dce_tcp
dce_smb
telnet
classifications
sip
rpc_decode
http_inspect
stream_ip
stream_user
dnp3
ftp_client
stream
references
arp_spoof
dns
dce_udp
imap
stream_file
Finished /etc/snort/snort.lua.
Loading /etc/snort/rules/ips.include:
Loading rules/local.rules:
Segmentation fault (core dumped)
noah at snort3:/etc/snort$



When i fix the rules to have all lowercase option names, i don't get a
segfault:

noah at snort3:/etc/snort$ sudo /bin/snort -c /etc/snort/snort.lua --warn-all
--------------------------------------------------
o")~   Snort++ 3.0.0-240
--------------------------------------------------
Loading /etc/snort/snort.lua:
ssh
pop
binder
stream_tcp
gtp_inspect
dce_http_proxy
stream_icmp
normalizer
ftp_server
stream_udp
modbus
ips
ssl
latency
wizard
appid
file_id
ftp_data
back_orifice
smtp
port_scan
dce_http_server
dce_tcp
dce_smb
telnet
classifications
sip
rpc_decode
http_inspect
stream_ip
stream_user
dnp3
ftp_client
stream
references
arp_spoof
dns
dce_udp
imap
stream_file
Finished /etc/snort/snort.lua.
Loading /etc/snort/rules/ips.include:
Loading rules/local.rules:
Finished rules/local.rules.
Finished /etc/snort/rules/ips.include.
--------------------------------------------------
rule counts
       total rules loaded: 1
               text rules: 1
            option chains: 1
            chain headers: 1
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any       0       0       1       0
   total       0       0       1       0
WARNING: port rule 1:10000001:1 has no fast pattern
WARNING: legacy mode fast pattern searching enabled
--------------------------------------------------
pcap DAQ configured to passive.
--------------------------------------------------
memory (heap)
    main thread usage: 26400128
    allocations: 138043
    deallocations: 77420
    thread cap: 0
    preemptive threshold: 0

Snort successfully validated the configuration (with 2 warnings).
o")~   Snort exiting





On Mon, Nov 20, 2017 at 5:24 PM, Russ <rucombs at cisco.com> wrote:

> Hey Noah, responses inline.
>
> Thanks
> Russ
>
> On 11/19/17 3:36 AM, Noah Dietrich wrote:
>
> Hello,
>
> While working with Snort3 (build 240), I have found some issues, and have
> a few questions and requests. I am happy to submit these through Github if
> you'd like.
>
> This is fine.  Whatever works for you.
>
>
> 1.  What is the difference between *ips.include* and *ips.rules*?  From
> the manual and examples, it looks like ips.include is for legacy rules
> (although snort3 community rules load fine), while ips.rules is for local
> rules in the same file.  can you clarify?
>
> ips.include = filename of Snort 3.0 rules you want to load.  Like Snort
> 2.X, you can put include statements in that file to include other files.
> Snort 3.0 will not load Snort 2.X rules (but you can use snort2lua to
> convert them).
>
> ips.rules = string variable containing rules directly in the Lua file.
> This is good for simple rules or test configurations or enabling specific
> builtins like this:
>
> local_rules =
> [[
> block ( gid:119; sid:16; )
> block ( gid:119; sid:32; )
> ]]
>
> ips = { rules = local_rules }
>
> 2.  For best practices, are you expecting people to set *$RULE_HOME* in
> *snort_defaults.lua*, or should this be overwritten in *snort.lua*?
> Should this be moved to snort.lua, since the word 'defaults' seems to
> indicate something the user shouldn't change.
>
> I am not familiar with RULE_HOME, but obviously those files are just
> starting points and should be modified to meet your needs.  That said, my
> suggestion would be to just edit snort.lua and copy/paste/tweak stuff from
> snort_defaults.lua into snort.lua or elsewhere.  That way you can more
> easily absorb any changes to snort_defaults.lua.
>
> 3.  If $RULE_HOME is set, when referencing rule files, you are now
> required to have all rules under that folder (with no explicit paths to
> other locations). This seems like a bug.  It would be nice if relative
> files would use the $RULES_HOME directory, while full paths to rule files
> would not use $RULE_HOME.
>
> Are you referring to RULE_PATH?  Regardless, there is no restriction on
> where your rules are located or on including one file from another.
> Snort++ intentionally doesn't start guessing about the location of stuff so
> I wouldn't call that a bug.  Sounds like adding a command line option that
> says look for all rules files starting with a given path will do what you
> want.
>
> 4.  When using *ips.include* with a file that lists all rule files
> (example below), the file paths don't seem to be relative to $RULE_HOME,
> but are relative to the snort.lua file, which seems odd.
>
> By default, everything should be relative to your current working
> directory, which seems normal.  :)  How is this different from #3?
>
> 5.  It would be nice to be able to specify multiple rule files in your
> snort.lua, rather than listing them all in ips.include (or whatever). The
> current method of lincluding a list of rule files in a text file referenced
> from *ips.include *seems like a kludge and adds an extra layer of work
> and increases the chance of an issue when configuring your rules.  A
> comma-seperated list of files (relative to $RULE_HOME or full paths) would
> be helpful.
>
> Would this work for you (assuming the new command line option mentioned in
> #3)?
>
> local_rules =
> [[
> include one.rules
> include two.rules
> # ...
> ]]
>
> ips = { rules = local_rules }
>
> 6.  Not sure if this is an issue or not, but if you specify the GID
> keyword in a rule loaded with *ips.include*, snort3 will segfault.
>
> Oops.  Any segfault is an issue but I'm unable to reproduce that.  Can you
> isolate it and send the rule?
>
>
> Thank you,
> Noah
>
>
> Here is how my system is configured for the above questions (relevant
> sections only):
>
> */etc/snort/snort_defaults.lua:*
> RULE_PATH = '/etc/snort/rules'
>
> */etc/snort/**snort.lua*
> ips =
> {
>     enable_builtin_rules = true,
>     include = RULE_PATH .. '/ips.include',
> }
>
> */etc/snort/rules/ips.include*
> include rules/snort3-community.rules
> include rules/local.rules
>
> ls -l /etc/snort/rules
> -rw-r--r-- 1 root root      64 Nov 19 09:33              ips.include
> -rw-r--r-- 1 root root    1389 Nov 19 09:36            local.rules
> -rw-r--r-- 1 root root  376241 Nov 18 13:42          sid-msg.map
> -rw-r--r-- 1 root root 1504089 Nov 18 13:36         snort3-community.rules
>
>
> *noah at snort3:/etc/snort$ /bin/snort -V*
>
>    ,,_     -*> Snort++ <*-
>   o"  )~   Version 3.0.0 (Build 240) from 2.9.8-383
>    ''''    By Martin Roesch & The Snort Team
>            http://snort.org/contact#team
>            Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using DAQ version 2.2.2
>            Using LuaJIT version 2.0.4
>            Using OpenSSL 1.0.2g  1 Mar 2016
>            Using libpcap version 1.7.4
>            Using PCRE version 8.38 2015-11-23
>            Using ZLIB version 1.2.8
>            Using FlatBuffers 1.7.0
>            Using Hyperscan version 4.6.0 2017-11-18
>            Using LZMA version 5.1.0alpha
>
>
>
>
> _______________________________________________
> Snort-devel mailing listSnort-devel at lists.snort.orghttps://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20171123/e913df4a/attachment.html>


More information about the Snort-devel mailing list