Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Config parsing issue with a poor config section

From: Daniel Einspanjer <deinspanjer () gmail com>
Date: Thu, 21 May 2015 16:17:01 -0400
I¹m running Snort 2.9.7.2 installed on a pfSense 2.2.2 router by the
pfSense package manager.

I was having a problem where I was unable to start the Snort interface
when I enabled the AppID preprocessor.  I was getting the following error:
FATAL ERROR: 
/usr/pbi/snort-amd64/etc/snort/snort_51424_igb1/snort.conf(407) => Value
specified for memcap is out of bounds. Please specify an integer between 1
and 4095.

I kept looking at the memcap value for AppID but couldn¹t find anything
wrong.  While grepping the source, I eventually looked for the constant
4095 and discovered that it was only used in the reputation preprocessor.


When I looked at the config for reputation, I found the problem.  I had
enabled the reputation preprocessor, but I had not specified any whitelist
or blacklist files.  Hence, the config that pfsense wrote out for me
looked like this:

# IP Reputation preprocessor #
preprocessor reputation: \
        memcap 500, \
        priority whitelist, \
        nested_ip inner, \
        white unblack, \


# Snort Output Logs #
output alert_csv: alert
timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id
,classification,priority 500K




Note that the reputation section ends with a line continuation character.

When I tried to enable the AppID preprocessor, the config looked like this:

# IP Reputation preprocessor #
preprocessor reputation: \
        memcap 500, \
        priority whitelist, \
        nested_ip inner, \
        white unblack, \


# AppID preprocessor #
preprocessor appid: \
        app_detector_dir /usr/pbi/snort-amd64/etc/snort/appid, \
        memcap 268435456, \
        app_stats_filename app-stats.log, \
        app_stats_period 300, \
        app_stats_rollover_size 1024000, \
        app_stats_rollover_time 86400


# Snort Output Logs #
output alert_csv: alert
timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id
,classification,priority 500K





So, for some reason, this config caused the validation of the reputation
preprocessor¹s memcap setting to fail.

I am going to report the bug to pfSense as well since they need to avoid
writing out the config file in this way, but I was hoping someone here
might be able to take a look at the config parsing code and see if there
is a fix to make it better able to handle or avoid the situation as well.

Thank you for your time.

-Daniel



------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: