[Snort-devel] Four snort3 b250 issues

Masud Hasan (mashasan) mashasan at cisco.com
Fri Dec 14 16:23:41 EST 2018


Hi Noah,

Thanks for reporting those issues. We have a fix for the issue 1 and hopefully will release new ODP in January. We also plan to look at other issues you noted.

Thanks,
Masud

On Dec 12, 2018, at 2:09 PM, Noah Dietrich <noah_dietrich at 86penny.org<mailto:noah_dietrich at 86penny.org>> wrote:


Running the latest snort3 build 250, I have encountered the following four issues:
(Ubuntu 16 and 18, x64)

//----------------------------------------------------------------------------------------------------------------------
1.  Errors with odp_client_ZenVPN.lua and service_tftp.lua when scanning PCAP files with OpenAppID enabled.

Command Run:
sudo snort -c /usr/local/etc/snort/snort.lua -r ~/pcaps/maccdc2012_00000.pcap -l /var/log/snort -s 65535 -k none -q

Error Messages Seen at console (multiple errors of each type):
- lua detector odp_client_ZenVPN.lua: error validating /usr/local/lib/odp/libs/DetectorCommon.lua:190: attempt to index global 'gDetector' (a nil value)
- lua detector odp_service_tftp.lua: error validating /usr/local/lib/odp/lua/service_tftp.lua:151: attempt to call global 'checkPattern' (a nil value)

i have the following rules enabled: all rules from snort3-community rules (un-commented all rules), along with builtin rules
snort.lua (relevant bits):
appid =
{
    app_detector_dir = '/usr/local/lib',
    log_stats = true,
}
ips =
{
    enable_builtin_rules = true,
    include = RULE_PATH .. '/ips.include',
}

(note that ips.include contains references to the snort3-community.rules with all rules enabled, as well as my local.rules file with 2 simple rules).

alert_json is enabled in snort.lua as well. note that snort runs fine, and generates alerts to the correct alert_json.txt file, it just shows all these errors as well.


//----------------------------------------------------------------------------------------------------------------------
2.  if no log directory specified, but a file output plugin is enabled, no logs are written.

This is a small bug, if you run snort with a file output enabled in your snort.lua (csv or json for example), but forget to add -l /var/log/snort to the command line, then logs aren't written. Not a big error, but it would probably be good for snort to detect and report this as an error, since that's probably what people are trying to do.


//----------------------------------------------------------------------------------------------------------------------
3. File output naming process.

i reported this issue before, and i want to make sure it doesn't slip through the cracks.  Snort currently writes alerts to a file, then renames the file to include the unixtime when rolling over to a new file (alert_json.txt becomes alert_json.txt.nnnnnnnnnn).

This causes problems with log-parsing tools (splunk and ELK) because they can not (should not) index the original filename (without the unixtime), since they may only partially process it before snort renames it (leading to missing events).  The solution is to tell these tools to watch for files that have the unixtime portion of the filename (ignnoring the original file until it's renamed and static), but you have to wait for the file to roll-over and be renamed, which for a large file size could take some time.  You can't tell these tools to watch for both the original file as well as the renamed file, because you'll get duplicated events.

The solution is for snort to write all files with the unixtime component, and not re-name the files. These tools can watch these files, and will process new events without any issues.

I have written a Splunk plugin (TA) that ingests json data and makes it CIM compliant, but I am waiting for the JSON filename issue to be resolved before i release it, since that just complicates things.

//----------------------------------------------------------------------------------------------------------------------
4.  Warnings with OpenAppID

When enabling OpenAppID with --warn-all, there are a number of warnings shown. for example:
sudo snort -c /usr/local/etc/snort/snort.lua --warn-all

a sample of the output (lots of 'appid: no entry' errors):

WARNING: appid: no lua detectors found in directory '/usr/local/lib/custom/lua/*'
WARNING: appid: no entry in appMapping.data for 4130
WARNING: appid: no entry in appMapping.data for 4115
WARNING: appid: no entry for 4543 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 4543
WARNING: appid: no entry in appMapping.data for 434
WARNING: appid: no entry in appMapping.data for 437
WARNING: appid: no entry in appMapping.data for 437
WARNING: appid: no entry in appMapping.data for 3396
WARNING: appid: no entry in appMapping.data for 3396
WARNING: appid: no entry in appMapping.data for 513
WARNING: appid: no entry in appMapping.data for 513
WARNING: appid: no entry in appMapping.data for 2313
WARNING: appid: no entry in appMapping.data for 2313
WARNING: appid: no entry in appMapping.data for 90
WARNING: appid: no entry in appMapping.data for 90
WARNING: appid: no entry for 4126 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 4126
WARNING: appid: no entry for 2634 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 2634
WARNING: appid: no entry for 4075 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 4075
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 290 warnings).
o")~   Snort exiting


Except for the minor errors above, everything seems to be working really well.

Thanks,
Noah

_______________________________________________
Snort-devel mailing list
Snort-devel at lists.snort.org<mailto:Snort-devel at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20181214/d999151a/attachment.html>


More information about the Snort-devel mailing list