[Snort-devel] Snort3 IPS questions, issues, and requests

Russ rucombs at cisco.com
Fri Nov 24 06:17:08 EST 2017


Got it.  A fix will be out Tuesday.  As you discovered, rule options 
must be lower case.  Same with Lua config by the way.

Thanks
Russ

On 11/23/17 12:12 AM, Noah Dietrich wrote:
> Hi Russ,
>
> Regarding the segfault, after a little further testing the issue 
> appears to occur whenever you don't use all lowercase for your rule 
> options (msg, gid, sid, et cetera).
>
> for example, this rule works:
>      alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; 
> sid:10000001; rev:001; gid:1; classtype:icmp-event;)
> but any of the following throw a segfault:
>      alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; 
> sid:10000001; rev:001; GID:1; classtype:icmp-event;)
>      alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; 
> Sid:10000001; rev:001; gid:1; classtype:icmp-event;)
>      alert icmp any any -> $HOME_NET any (Msg:"ICMP test detected"; 
> sid:10000001; rev:001; gid:1; classtype:icmp-event;)
>
> let me know if you need more information.  my configuration and output 
> is below.
> Thanks,
> noah
>
> Details of my configuration:
>
> snort3 build 240 on Ubuntu 16 x64 with all the additional software 
> installed (let me know if I've missed any optional software packages):
> noah at snort3:/etc/snort$ /bin/snort -V
>
>    ,,_     -*> Snort++ <*-
>   o"  )~   Version 3.0.0 (Build 240) from 2.9.8-383
>    ''''    By Martin Roesch & The Snort Team
> http://snort.org/contact#team
>            Copyright (C) 2014-2017 Cisco and/or its affiliates. All 
> rights reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using DAQ version 2.2.2
>            Using LuaJIT version 2.0.4
>            Using OpenSSL 1.0.2g  1 Mar 2016
>            Using libpcap version 1.7.4
>            Using PCRE version 8.38 2015-11-23
>            Using ZLIB version 1.2.8
>            Using FlatBuffers 1.7.0
>            Using Hyperscan version 4.6.0 2017-11-18
>            Using LZMA version 5.1.0alpha
>
> *_Files used:_*
> noah at snort3:/etc/snort$ tree
> .
> ├── builtin_rules
> ├── file_magic.lua
> ├── lists
> ├── rules
> │   ├── ips.include
> │   ├── local.rules
> │   ├── sid-msg.map
> │   └── snort3-community.rules
> ├── snort_defaults.lua
> ├── snort.lua
> └── so_rules
>
> _# snort_defaults.lua _(relevant sections):
>
> ---------------------------------------------------------------------------
> -- default paths
> ---------------------------------------------------------------------------
> -- Path to your rules files (this can be a relative path)
>
> RULE_PATH = '/etc/snort/rules'
> BUILTIN_RULE_PATH = '/etc/snort/builtin_rules'
> PLUGIN_RULE_PATH = '/etc/snort/so_rules'
>
> -- If you are using reputation preprocessor set these
> WHITE_LIST_PATH = '/etc/snort/lists'
> BLACK_LIST_PATH = '/etc/snort/lists'
>
> *_# snort.lua_ *(relevant sections)
> ---------------------------------------------------------------------------
> -- 2. configure defaults
> ---------------------------------------------------------------------------
>
> -- HOME_NET and EXTERNAL_NET must be set now
> -- setup the network addresses you are protecting
> HOME_NET = '10.0.0.0/24 <http://10.0.0.0/24>'
>
> -- set up the external network addresses.
> -- (leave as "any" in most situations)
> EXTERNAL_NET = 'any'
>
> dofile(conf_dir .. '/snort_defaults.lua')
> dofile(conf_dir .. '/file_magic.lua')
>
> appid =
> {
>     -- appid requires this to use appids in rules
> app_detector_dir = '/lib',
>     log_stats = true,
> }
>
> ips =
> {
>     -- use this to enable decoder and inspector alerts
>     -- enable_builtin_rules = true,
>
>     -- use include for rules files; be sure to set your path
>     -- note that rules files can include other rules files
>     --include = 'snort3_community.rules'
>     include = RULE_PATH .. '/ips.include',
> }
>
>
> *_# ips.include_*
> #include rules/snort3-community.rules
> include rules/local.rules
>
> *_# local.rules_*
> alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; 
> sid:10000001; rev:001; GID:1; classtype:icmp-event;)
>
> *_# Running Snort (and getting segfault):_*
> noah at snort3:/etc/snort$ sudo /bin/snort -c /etc/snort/snort.lua --warn-all
> --------------------------------------------------
> o")~   Snort++ 3.0.0-240
> --------------------------------------------------
> Loading /etc/snort/snort.lua:
> ssh
> pop
> binder
> stream_tcp
> gtp_inspect
> dce_http_proxy
> stream_icmp
> normalizer
> ftp_server
> stream_udp
> modbus
> ips
> ssl
> latency
> wizard
> appid
> file_id
> ftp_data
> back_orifice
> smtp
> port_scan
> dce_http_server
> dce_tcp
> dce_smb
> telnet
> classifications
> sip
> rpc_decode
> http_inspect
> stream_ip
> stream_user
> dnp3
> ftp_client
> stream
> references
> arp_spoof
> dns
> dce_udp
> imap
> stream_file
> Finished /etc/snort/snort.lua.
> Loading /etc/snort/rules/ips.include:
> Loading rules/local.rules:
> Segmentation fault (core dumped)
> noah at snort3:/etc/snort$
>
>
>
> When i fix the rules to have all lowercase option names, i don't get a 
> segfault:
>
> noah at snort3:/etc/snort$ sudo /bin/snort -c /etc/snort/snort.lua --warn-all
> --------------------------------------------------
> o")~   Snort++ 3.0.0-240
> --------------------------------------------------
> Loading /etc/snort/snort.lua:
> ssh
> pop
> binder
> stream_tcp
> gtp_inspect
> dce_http_proxy
> stream_icmp
> normalizer
> ftp_server
> stream_udp
> modbus
> ips
> ssl
> latency
> wizard
> appid
> file_id
> ftp_data
> back_orifice
> smtp
> port_scan
> dce_http_server
> dce_tcp
> dce_smb
> telnet
> classifications
> sip
> rpc_decode
> http_inspect
> stream_ip
> stream_user
> dnp3
> ftp_client
> stream
> references
> arp_spoof
> dns
> dce_udp
> imap
> stream_file
> Finished /etc/snort/snort.lua.
> Loading /etc/snort/rules/ips.include:
> Loading rules/local.rules:
> Finished rules/local.rules.
> Finished /etc/snort/rules/ips.include.
> --------------------------------------------------
> rule counts
>        total rules loaded: 1
>                text rules: 1
>             option chains: 1
>             chain headers: 1
> --------------------------------------------------
> port rule counts
>              tcp     udp    icmp      ip
>      any       0       0       1       0
>    total       0       0       1       0
> WARNING: port rule 1:10000001:1 has no fast pattern
> WARNING: legacy mode fast pattern searching enabled
> --------------------------------------------------
> pcap DAQ configured to passive.
> --------------------------------------------------
> memory (heap)
>     main thread usage: 26400128
>     allocations: 138043
>     deallocations: 77420
>     thread cap: 0
>     preemptive threshold: 0
>
> Snort successfully validated the configuration (with 2 warnings).
> o")~   Snort exiting
>
>
>
>
>
> On Mon, Nov 20, 2017 at 5:24 PM, Russ <rucombs at cisco.com 
> <mailto:rucombs at cisco.com>> wrote:
>
>     Hey Noah, responses inline.
>
>     Thanks
>     Russ
>
>     On 11/19/17 3:36 AM, Noah Dietrich wrote:
>>     Hello,
>>
>>     While working with Snort3 (build 240), I have found some issues,
>>     and have a few questions and requests. I am happy to submit these
>>     through Github if you'd like.
>     This is fine.  Whatever works for you.
>>
>>     1.  What is the difference between *ips.include* and
>>     *ips.rules*?  From the manual and examples, it looks like
>>     ips.include is for legacy rules (although snort3 community rules
>>     load fine), while ips.rules is for local rules in the same file. 
>>     can you clarify?
>     ips.include = filename of Snort 3.0 rules you want to load.  Like
>     Snort 2.X, you can put include statements in that file to include
>     other files.  Snort 3.0 will not load Snort 2.X rules (but you can
>     use snort2lua to convert them).
>
>     ips.rules = string variable containing rules directly in the Lua
>     file.  This is good for simple rules or test configurations or
>     enabling specific builtins like this:
>
>     local_rules =
>     [[
>     block ( gid:119; sid:16; )
>     block ( gid:119; sid:32; )
>     ]]
>
>     ips = { rules = local_rules }
>
>>     2.  For best practices, are you expecting people to set
>>     *$RULE_HOME* in *snort_defaults.lua*, or should this be
>>     overwritten in *snort.lua*? Should this be moved to snort.lua,
>>     since the word 'defaults' seems to indicate something the user
>>     shouldn't change.
>     I am not familiar with RULE_HOME, but obviously those files are
>     just starting points and should be modified to meet your needs. 
>     That said, my suggestion would be to just edit snort.lua and
>     copy/paste/tweak stuff from snort_defaults.lua into snort.lua or
>     elsewhere.  That way you can more easily absorb any changes to
>     snort_defaults.lua.
>>     3.  If $RULE_HOME is set, when referencing rule files, you are
>>     now required to have all rules under that folder (with no
>>     explicit paths to other locations). This seems like a bug.  It
>>     would be nice if relative files would use the $RULES_HOME
>>     directory, while full paths to rule files would not use $RULE_HOME.
>     Are you referring to RULE_PATH?  Regardless, there is no
>     restriction on where your rules are located or on including one
>     file from another.  Snort++ intentionally doesn't start guessing
>     about the location of stuff so I wouldn't call that a bug.  Sounds
>     like adding a command line option that says look for all rules
>     files starting with a given path will do what you want.
>>     4.  When using *ips.include* with a file that lists all rule
>>     files (example below), the file paths don't seem to be relative
>>     to $RULE_HOME, but are relative to the snort.lua file, which
>>     seems odd.
>     By default, everything should be relative to your current working
>     directory, which seems normal.  :)  How is this different from #3?
>>     5.  It would be nice to be able to specify multiple rule files in
>>     your snort.lua, rather than listing them all in ips.include (or
>>     whatever). The current method of lincluding a list of rule files
>>     in a text file referenced from *ips.include *seems like a kludge
>>     and adds an extra layer of work and increases the chance of an
>>     issue when configuring your rules.  A comma-seperated list of
>>     files (relative to $RULE_HOME or full paths) would be helpful.
>     Would this work for you (assuming the new command line option
>     mentioned in #3)?
>
>     local_rules =
>     [[
>     include one.rules
>     include two.rules
>     # ...
>     ]]
>
>     ips = { rules = local_rules }
>>     6.  Not sure if this is an issue or not, but if you specify the
>>     GID keyword in a rule loaded with *ips.include*, snort3 will
>>     segfault.
>     Oops.  Any segfault is an issue but I'm unable to reproduce that. 
>     Can you isolate it and send the rule?
>>
>>     Thank you,
>>     Noah
>>
>>
>>     Here is how my system is configured for the above questions
>>     (relevant sections only):
>>
>>     *_/etc/snort/snort_defaults.lua:_*
>>     RULE_PATH = '/etc/snort/rules'
>>
>>     *_/etc/snort/_**_snort.lua_*
>>     ips =
>>     {
>>         enable_builtin_rules = true,
>>         include = RULE_PATH .. '/ips.include',
>>     }
>>
>>     *_/etc/snort/rules/ips.include_*
>>     include rules/snort3-community.rules
>>     include rules/local.rules
>>
>>     ls -l /etc/snort/rules
>>     -rw-r--r-- 1 root root      64 Nov 19 09:33              ips.include
>>     -rw-r--r-- 1 root root    1389 Nov 19 09:36            local.rules
>>     -rw-r--r-- 1 root root  376241 Nov 18 13:42          sid-msg.map
>>     -rw-r--r-- 1 root root 1504089 Nov 18 13:36       
>>      snort3-community.rules
>>
>>     *_
>>     _*
>>     *_noah at snort3:/etc/snort$ /bin/snort -V_*
>>
>>        ,,_     -*> Snort++ <*-
>>       o"  )~   Version 3.0.0 (Build 240) from 2.9.8-383
>>        ''''    By Martin Roesch & The Snort Team
>>     http://snort.org/contact#team
>>                Copyright (C) 2014-2017 Cisco and/or its affiliates.
>>     All rights reserved.
>>                Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>                Using DAQ version 2.2.2
>>                Using LuaJIT version 2.0.4
>>                Using OpenSSL 1.0.2g  1 Mar 2016
>>                Using libpcap version 1.7.4
>>                Using PCRE version 8.38 2015-11-23
>>                Using ZLIB version 1.2.8
>>                Using FlatBuffers 1.7.0
>>                Using Hyperscan version 4.6.0 2017-11-18
>>                Using LZMA version 5.1.0alpha
>>
>>
>>
>>
>>     _______________________________________________
>>     Snort-devel mailing list
>>     Snort-devel at lists.snort.org <mailto:Snort-devel at lists.snort.org>
>>     https://lists.snort.org/mailman/listinfo/snort-devel
>>     <https://lists.snort.org/mailman/listinfo/snort-devel>
>>
>>     Please visithttp://blog.snort.org  for the latest news about Snort!
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20171124/ce8dd87f/attachment-0001.html>


More information about the Snort-devel mailing list