[Snort-devel] Snort3 IPS questions, issues, and requests

Russ rucombs at cisco.com
Tue Nov 28 08:06:57 EST 2017


The fix is up on github.

Thanks
Russ

On 11/24/17 6:17 AM, Russ via Snort-devel wrote:
> Got it.  A fix will be out Tuesday.  As you discovered, rule options 
> must be lower case.  Same with Lua config by the way.
>
> Thanks
> Russ
>
> On 11/23/17 12:12 AM, Noah Dietrich wrote:
>> Hi Russ,
>>
>> Regarding the segfault, after a little further testing the issue 
>> appears to occur whenever you don't use all lowercase for your rule 
>> options (msg, gid, sid, et cetera).
>>
>> for example, this rule works:
>>      alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; 
>> sid:10000001; rev:001; gid:1; classtype:icmp-event;)
>> but any of the following throw a segfault:
>>      alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; 
>> sid:10000001; rev:001; GID:1; classtype:icmp-event;)
>>      alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; 
>> Sid:10000001; rev:001; gid:1; classtype:icmp-event;)
>>      alert icmp any any -> $HOME_NET any (Msg:"ICMP test detected"; 
>> sid:10000001; rev:001; gid:1; classtype:icmp-event;)
>>
>> let me know if you need more information.  my configuration and 
>> output is below.
>> Thanks,
>> noah
>>
>> Details of my configuration:
>>
>> snort3 build 240 on Ubuntu 16 x64 with all the additional software 
>> installed (let me know if I've missed any optional software packages):
>> noah at snort3:/etc/snort$ /bin/snort -V
>>
>>    ,,_     -*> Snort++ <*-
>>   o"  )~   Version 3.0.0 (Build 240) from 2.9.8-383
>>    ''''    By Martin Roesch & The Snort Team
>> http://snort.org/contact#team
>>            Copyright (C) 2014-2017 Cisco and/or its affiliates. All 
>> rights reserved.
>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>            Using DAQ version 2.2.2
>>            Using LuaJIT version 2.0.4
>>            Using OpenSSL 1.0.2g  1 Mar 2016
>>            Using libpcap version 1.7.4
>>            Using PCRE version 8.38 2015-11-23
>>            Using ZLIB version 1.2.8
>>            Using FlatBuffers 1.7.0
>>            Using Hyperscan version 4.6.0 2017-11-18
>>            Using LZMA version 5.1.0alpha
>>
>> *_Files used:_*
>> noah at snort3:/etc/snort$ tree
>> .
>> ├── builtin_rules
>> ├── file_magic.lua
>> ├── lists
>> ├── rules
>> │   ├── ips.include
>> │   ├── local.rules
>> │   ├── sid-msg.map
>> │   └── snort3-community.rules
>> ├── snort_defaults.lua
>> ├── snort.lua
>> └── so_rules
>>
>> _# snort_defaults.lua _(relevant sections):
>>
>> ---------------------------------------------------------------------------
>> -- default paths
>> ---------------------------------------------------------------------------
>> -- Path to your rules files (this can be a relative path)
>>
>> RULE_PATH = '/etc/snort/rules'
>> BUILTIN_RULE_PATH = '/etc/snort/builtin_rules'
>> PLUGIN_RULE_PATH = '/etc/snort/so_rules'
>>
>> -- If you are using reputation preprocessor set these
>> WHITE_LIST_PATH = '/etc/snort/lists'
>> BLACK_LIST_PATH = '/etc/snort/lists'
>>
>> *_# snort.lua_ *(relevant sections)
>> ---------------------------------------------------------------------------
>> -- 2. configure defaults
>> ---------------------------------------------------------------------------
>>
>> -- HOME_NET and EXTERNAL_NET must be set now
>> -- setup the network addresses you are protecting
>> HOME_NET = '10.0.0.0/24 <http://10.0.0.0/24>'
>>
>> -- set up the external network addresses.
>> -- (leave as "any" in most situations)
>> EXTERNAL_NET = 'any'
>>
>> dofile(conf_dir .. '/snort_defaults.lua')
>> dofile(conf_dir .. '/file_magic.lua')
>>
>> appid =
>> {
>>     -- appid requires this to use appids in rules
>> app_detector_dir = '/lib',
>>     log_stats = true,
>> }
>>
>> ips =
>> {
>>     -- use this to enable decoder and inspector alerts
>>     -- enable_builtin_rules = true,
>>
>>     -- use include for rules files; be sure to set your path
>>     -- note that rules files can include other rules files
>>     --include = 'snort3_community.rules'
>>     include = RULE_PATH .. '/ips.include',
>> }
>>
>>
>> *_# ips.include_*
>> #include rules/snort3-community.rules
>> include rules/local.rules
>>
>> *_# local.rules_*
>> alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; 
>> sid:10000001; rev:001; GID:1; classtype:icmp-event;)
>>
>> *_# Running Snort (and getting segfault):_*
>> noah at snort3:/etc/snort$ sudo /bin/snort -c /etc/snort/snort.lua 
>> --warn-all
>> --------------------------------------------------
>> o")~   Snort++ 3.0.0-240
>> --------------------------------------------------
>> Loading /etc/snort/snort.lua:
>> ssh
>> pop
>> binder
>> stream_tcp
>> gtp_inspect
>> dce_http_proxy
>> stream_icmp
>> normalizer
>> ftp_server
>> stream_udp
>> modbus
>> ips
>> ssl
>> latency
>> wizard
>> appid
>> file_id
>> ftp_data
>> back_orifice
>> smtp
>> port_scan
>> dce_http_server
>> dce_tcp
>> dce_smb
>> telnet
>> classifications
>> sip
>> rpc_decode
>> http_inspect
>> stream_ip
>> stream_user
>> dnp3
>> ftp_client
>> stream
>> references
>> arp_spoof
>> dns
>> dce_udp
>> imap
>> stream_file
>> Finished /etc/snort/snort.lua.
>> Loading /etc/snort/rules/ips.include:
>> Loading rules/local.rules:
>> Segmentation fault (core dumped)
>> noah at snort3:/etc/snort$
>>
>>
>>
>> When i fix the rules to have all lowercase option names, i don't get 
>> a segfault:
>>
>> noah at snort3:/etc/snort$ sudo /bin/snort -c /etc/snort/snort.lua 
>> --warn-all
>> --------------------------------------------------
>> o")~   Snort++ 3.0.0-240
>> --------------------------------------------------
>> Loading /etc/snort/snort.lua:
>> ssh
>> pop
>> binder
>> stream_tcp
>> gtp_inspect
>> dce_http_proxy
>> stream_icmp
>> normalizer
>> ftp_server
>> stream_udp
>> modbus
>> ips
>> ssl
>> latency
>> wizard
>> appid
>> file_id
>> ftp_data
>> back_orifice
>> smtp
>> port_scan
>> dce_http_server
>> dce_tcp
>> dce_smb
>> telnet
>> classifications
>> sip
>> rpc_decode
>> http_inspect
>> stream_ip
>> stream_user
>> dnp3
>> ftp_client
>> stream
>> references
>> arp_spoof
>> dns
>> dce_udp
>> imap
>> stream_file
>> Finished /etc/snort/snort.lua.
>> Loading /etc/snort/rules/ips.include:
>> Loading rules/local.rules:
>> Finished rules/local.rules.
>> Finished /etc/snort/rules/ips.include.
>> --------------------------------------------------
>> rule counts
>>        total rules loaded: 1
>>                text rules: 1
>>             option chains: 1
>>             chain headers: 1
>> --------------------------------------------------
>> port rule counts
>>              tcp     udp    icmp      ip
>>      any       0       0       1       0
>>    total       0       0       1       0
>> WARNING: port rule 1:10000001:1 has no fast pattern
>> WARNING: legacy mode fast pattern searching enabled
>> --------------------------------------------------
>> pcap DAQ configured to passive.
>> --------------------------------------------------
>> memory (heap)
>>     main thread usage: 26400128
>>     allocations: 138043
>>     deallocations: 77420
>>     thread cap: 0
>>     preemptive threshold: 0
>>
>> Snort successfully validated the configuration (with 2 warnings).
>> o")~   Snort exiting
>>
>>
>>
>>
>>
>> On Mon, Nov 20, 2017 at 5:24 PM, Russ <rucombs at cisco.com 
>> <mailto:rucombs at cisco.com>> wrote:
>>
>>     Hey Noah, responses inline.
>>
>>     Thanks
>>     Russ
>>
>>     On 11/19/17 3:36 AM, Noah Dietrich wrote:
>>>     Hello,
>>>
>>>     While working with Snort3 (build 240), I have found some issues,
>>>     and have a few questions and requests. I am happy to submit
>>>     these through Github if you'd like.
>>     This is fine.  Whatever works for you.
>>>
>>>     1.  What is the difference between *ips.include* and
>>>     *ips.rules*?  From the manual and examples, it looks like
>>>     ips.include is for legacy rules (although snort3 community rules
>>>     load fine), while ips.rules is for local rules in the same
>>>     file.  can you clarify?
>>     ips.include = filename of Snort 3.0 rules you want to load.  Like
>>     Snort 2.X, you can put include statements in that file to include
>>     other files.  Snort 3.0 will not load Snort 2.X rules (but you
>>     can use snort2lua to convert them).
>>
>>     ips.rules = string variable containing rules directly in the Lua
>>     file.  This is good for simple rules or test configurations or
>>     enabling specific builtins like this:
>>
>>     local_rules =
>>     [[
>>     block ( gid:119; sid:16; )
>>     block ( gid:119; sid:32; )
>>     ]]
>>
>>     ips = { rules = local_rules }
>>
>>>     2.  For best practices, are you expecting people to set
>>>     *$RULE_HOME* in *snort_defaults.lua*, or should this be
>>>     overwritten in *snort.lua*? Should this be moved to snort.lua,
>>>     since the word 'defaults' seems to indicate something the user
>>>     shouldn't change.
>>     I am not familiar with RULE_HOME, but obviously those files are
>>     just starting points and should be modified to meet your needs. 
>>     That said, my suggestion would be to just edit snort.lua and
>>     copy/paste/tweak stuff from snort_defaults.lua into snort.lua or
>>     elsewhere.  That way you can more easily absorb any changes to
>>     snort_defaults.lua.
>>>     3.  If $RULE_HOME is set, when referencing rule files, you are
>>>     now required to have all rules under that folder (with no
>>>     explicit paths to other locations). This seems like a bug.  It
>>>     would be nice if relative files would use the $RULES_HOME
>>>     directory, while full paths to rule files would not use $RULE_HOME.
>>     Are you referring to RULE_PATH?  Regardless, there is no
>>     restriction on where your rules are located or on including one
>>     file from another.  Snort++ intentionally doesn't start guessing
>>     about the location of stuff so I wouldn't call that a bug. 
>>     Sounds like adding a command line option that says look for all
>>     rules files starting with a given path will do what you want.
>>>     4.  When using *ips.include* with a file that lists all rule
>>>     files (example below), the file paths don't seem to be relative
>>>     to $RULE_HOME, but are relative to the snort.lua file, which
>>>     seems odd.
>>     By default, everything should be relative to your current working
>>     directory, which seems normal.  :) How is this different from #3?
>>>     5.  It would be nice to be able to specify multiple rule files
>>>     in your snort.lua, rather than listing them all in ips.include
>>>     (or whatever). The current method of lincluding a list of rule
>>>     files in a text file referenced from *ips.include *seems like a
>>>     kludge and adds an extra layer of work and increases the chance
>>>     of an issue when configuring your rules.  A comma-seperated list
>>>     of files (relative to $RULE_HOME or full paths) would be helpful.
>>     Would this work for you (assuming the new command line option
>>     mentioned in #3)?
>>
>>     local_rules =
>>     [[
>>     include one.rules
>>     include two.rules
>>     # ...
>>     ]]
>>
>>     ips = { rules = local_rules }
>>>     6.  Not sure if this is an issue or not, but if you specify the
>>>     GID keyword in a rule loaded with *ips.include*, snort3 will
>>>     segfault.
>>     Oops.  Any segfault is an issue but I'm unable to reproduce
>>     that.  Can you isolate it and send the rule?
>>>
>>>     Thank you,
>>>     Noah
>>>
>>>
>>>     Here is how my system is configured for the above questions
>>>     (relevant sections only):
>>>
>>>     *_/etc/snort/snort_defaults.lua:_*
>>>     RULE_PATH = '/etc/snort/rules'
>>>
>>>     *_/etc/snort/_**_snort.lua_*
>>>     ips =
>>>     {
>>>         enable_builtin_rules = true,
>>>         include = RULE_PATH .. '/ips.include',
>>>     }
>>>
>>>     *_/etc/snort/rules/ips.include_*
>>>     include rules/snort3-community.rules
>>>     include rules/local.rules
>>>
>>>     ls -l /etc/snort/rules
>>>     -rw-r--r-- 1 root root      64 Nov 19 09:33              ips.include
>>>     -rw-r--r-- 1 root root    1389 Nov 19 09:36            local.rules
>>>     -rw-r--r-- 1 root root  376241 Nov 18 13:42          sid-msg.map
>>>     -rw-r--r-- 1 root root 1504089 Nov 18 13:36       
>>>      snort3-community.rules
>>>
>>>     *_
>>>     _*
>>>     *_noah at snort3:/etc/snort$ /bin/snort -V_*
>>>
>>>        ,,_     -*> Snort++ <*-
>>>       o"  )~   Version 3.0.0 (Build 240) from 2.9.8-383
>>>        ''''    By Martin Roesch & The Snort Team
>>>     http://snort.org/contact#team
>>>                Copyright (C) 2014-2017 Cisco and/or its affiliates.
>>>     All rights reserved.
>>>                Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>>                Using DAQ version 2.2.2
>>>                Using LuaJIT version 2.0.4
>>>                Using OpenSSL 1.0.2g  1 Mar 2016
>>>                Using libpcap version 1.7.4
>>>                Using PCRE version 8.38 2015-11-23
>>>                Using ZLIB version 1.2.8
>>>                Using FlatBuffers 1.7.0
>>>                Using Hyperscan version 4.6.0 2017-11-18
>>>                Using LZMA version 5.1.0alpha
>>>
>>>
>>>
>>>
>>>     _______________________________________________
>>>     Snort-devel mailing list
>>>     Snort-devel at lists.snort.org <mailto:Snort-devel at lists.snort.org>
>>>     https://lists.snort.org/mailman/listinfo/snort-devel
>>>     <https://lists.snort.org/mailman/listinfo/snort-devel>
>>>
>>>     Please visithttp://blog.snort.org  for the latest news about Snort!
>>
>>
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20171128/403fbf24/attachment-0001.html>


More information about the Snort-devel mailing list