[Snort-devel] Four snort3 b250 issues

Noah Dietrich noah_dietrich at 86penny.org
Wed Dec 12 14:09:09 EST 2018


Running the latest snort3 build 250, I have encountered the following four
issues:
(Ubuntu 16 and 18, x64)

//----------------------------------------------------------------------------------------------------------------------
1.  Errors with *odp_client_ZenVPN.lua *and *service_tftp.lua *when
scanning PCAP files with OpenAppID enabled.

Command Run:
sudo snort -c /usr/local/etc/snort/snort.lua -r
~/pcaps/maccdc2012_00000.pcap -l /var/log/snort -s 65535 -k none -q

Error Messages Seen at console (multiple errors of each type):
- lua detector odp_client_ZenVPN.lua: error validating
/usr/local/lib/odp/libs/DetectorCommon.lua:190: attempt to index global
'gDetector' (a nil value)
- lua detector odp_service_tftp.lua: error validating
/usr/local/lib/odp/lua/service_tftp.lua:151: attempt to call global
'checkPattern' (a nil value)

i have the following rules enabled: all rules from snort3-community rules
(un-commented all rules), along with builtin rules
snort.lua (relevant bits):
appid =
{
    app_detector_dir = '/usr/local/lib',
    log_stats = true,
}
ips =
{
    enable_builtin_rules = true,
    include = RULE_PATH .. '/ips.include',
}

(note that ips.include contains references to the snort3-community.rules
with all rules enabled, as well as my local.rules file with 2 simple rules).

alert_json is enabled in snort.lua as well. note that snort runs fine, and
generates alerts to the correct alert_json.txt file, it just shows all
these errors as well.


//----------------------------------------------------------------------------------------------------------------------
2.  if no log directory specified, but a file output plugin is enabled, no
logs are written.

This is a small bug, if you run snort with a file output enabled in your
snort.lua (csv or json for example), but forget to add -l /var/log/snort to
the command line, then logs aren't written. Not a big error, but it would
probably be good for snort to detect and report this as an error, since
that's probably what people are trying to do.


//----------------------------------------------------------------------------------------------------------------------
3. File output naming process.

i reported this issue before, and i want to make sure it doesn't slip
through the cracks.  Snort currently writes alerts to a file, then renames
the file to include the unixtime when rolling over to a new file
(alert_json.txt becomes alert_json.txt.nnnnnnnnnn).

This causes problems with log-parsing tools (splunk and ELK) because they
can not (should not) index the original filename (without the unixtime),
since they may only partially process it before snort renames it (leading
to missing events).  The solution is to tell these tools to watch for files
that have the unixtime portion of the filename (ignnoring the original file
until it's renamed and static), but you have to wait for the file to
roll-over and be renamed, which for a large file size could take some
time.  You can't tell these tools to watch for both the original file as
well as the renamed file, because you'll get duplicated events.

The solution is for snort to write all files with the unixtime component,
and not re-name the files. These tools can watch these files, and will
process new events without any issues.

I have written a Splunk plugin (TA) that ingests json data and makes it CIM
compliant, but I am waiting for the JSON filename issue to be resolved
before i release it, since that just complicates things.

//----------------------------------------------------------------------------------------------------------------------
4.  Warnings with OpenAppID

When enabling OpenAppID with --warn-all, there are a number of warnings
shown. for example:
sudo snort -c /usr/local/etc/snort/snort.lua --warn-all

a sample of the output (lots of 'appid: no entry' errors):


WARNING: appid: no lua detectors found in directory
'/usr/local/lib/custom/lua/*'
WARNING: appid: no entry in appMapping.data for 4130
WARNING: appid: no entry in appMapping.data for 4115
WARNING: appid: no entry for 4543 in appMapping.data; no rule support for
this ID.
WARNING: appid: no entry in appMapping.data for 4543
WARNING: appid: no entry in appMapping.data for 434
WARNING: appid: no entry in appMapping.data for 437
WARNING: appid: no entry in appMapping.data for 437
WARNING: appid: no entry in appMapping.data for 3396
WARNING: appid: no entry in appMapping.data for 3396
WARNING: appid: no entry in appMapping.data for 513
WARNING: appid: no entry in appMapping.data for 513
WARNING: appid: no entry in appMapping.data for 2313
WARNING: appid: no entry in appMapping.data for 2313
WARNING: appid: no entry in appMapping.data for 90
WARNING: appid: no entry in appMapping.data for 90
WARNING: appid: no entry for 4126 in appMapping.data; no rule support for
this ID.
WARNING: appid: no entry in appMapping.data for 4126
WARNING: appid: no entry for 2634 in appMapping.data; no rule support for
this ID.
WARNING: appid: no entry in appMapping.data for 2634
WARNING: appid: no entry for 4075 in appMapping.data; no rule support for
this ID.
WARNING: appid: no entry in appMapping.data for 4075
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 290 warnings).
o")~   Snort exiting


Except for the minor errors above, everything seems to be working really
well.

Thanks,
Noah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20181212/0a09eaff/attachment.html>


More information about the Snort-devel mailing list