Snort mailing list archives
Re: Config parsing issue with a poor config section
From: "Rahul Burman (rahburma)" <rahburma () cisco com>
Date: Mon, 25 May 2015 10:11:55 +0000
Hi Daniel As you have figured out that during the parsing of configuration arguments of reputation processor, the arguments of appID is getting parsed due to the line continuation character. Since default value of appId memcap is 268435456, you are seeing this error. Now, the config parsing code only cares about the input string (which consists of argument tokens) and if the string contains the config tokens of appID as well, it will attempt to parse it. This could be fixed in two places : 1) code generating the config tokens in first place or 2) the code parsing the file and extracting the strings. The first option seems to be a better choice. Please submit a bug for it. Regards Rahul From: Cynthia Leonard (cyleonar) Sent: Monday, May 25, 2015 11:38 AM To: Rahul Burman (rahburma) Subject: FW: [Snort-devel] Config parsing issue with a poor config section From: Manish Dev (mandev) Sent: Saturday, May 23, 2015 12:40 AM To: Steve Sturges (ststurge); Charles Summers (chasumme) Subject: RE: [Snort-devel] Config parsing issue with a poor config section
From India it is Cynthia. She will be responding to this.
From: Steve Sturges (ststurge) Sent: Friday, May 22, 2015 10:12 AM To: Charles Summers (chasumme); Manish Dev (mandev) Subject: Fwd: [Snort-devel] Config parsing issue with a poor config section Who has open source this week? I've seen a few emails that have gone by that probably warrant a response. -------- Forwarded Message -------- Subject: [Snort-devel] Config parsing issue with a poor config section Date: Thu, 21 May 2015 16:17:01 -0400 From: Daniel Einspanjer <deinspanjer () gmail com><mailto:deinspanjer () gmail com> To: snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net> I¹m running Snort 2.9.7.2 installed on a pfSense 2.2.2 router by the pfSense package manager. I was having a problem where I was unable to start the Snort interface when I enabled the AppID preprocessor. I was getting the following error: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_51424_igb1/snort.conf(407) => Value specified for memcap is out of bounds. Please specify an integer between 1 and 4095. I kept looking at the memcap value for AppID but couldn¹t find anything wrong. While grepping the source, I eventually looked for the constant 4095 and discovered that it was only used in the reputation preprocessor. When I looked at the config for reputation, I found the problem. I had enabled the reputation preprocessor, but I had not specified any whitelist or blacklist files. Hence, the config that pfsense wrote out for me looked like this: # IP Reputation preprocessor # preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ white unblack, \ # Snort Output Logs # output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id ,classification,priority 500K Note that the reputation section ends with a line continuation character. When I tried to enable the AppID preprocessor, the config looked like this: # IP Reputation preprocessor # preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ white unblack, \ # AppID preprocessor # preprocessor appid: \ app_detector_dir /usr/pbi/snort-amd64/etc/snort/appid, \ memcap 268435456, \ app_stats_filename app-stats.log, \ app_stats_period 300, \ app_stats_rollover_size 1024000, \ app_stats_rollover_time 86400 # Snort Output Logs # output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id ,classification,priority 500K So, for some reason, this config caused the validation of the reputation preprocessor¹s memcap setting to fail. I am going to report the bug to pfSense as well since they need to avoid writing out the config file in this way, but I was hoping someone here might be able to take a look at the config parsing code and see if there is a fix to make it better able to handle or avoid the situation as well. Thank you for your time. -Daniel ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Config parsing issue with a poor config section Daniel Einspanjer (May 21)
- Message not available
- Message not available
- Message not available
- Re: Config parsing issue with a poor config section Rahul Burman (rahburma) (May 25)
- Message not available
- Message not available