Snort mailing list archives
Four snort3 b250 issues
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Wed, 12 Dec 2018 14:09:09 -0500
Running the latest snort3 build 250, I have encountered the following four issues: (Ubuntu 16 and 18, x64) //---------------------------------------------------------------------------------------------------------------------- 1. Errors with *odp_client_ZenVPN.lua *and *service_tftp.lua *when scanning PCAP files with OpenAppID enabled. Command Run: sudo snort -c /usr/local/etc/snort/snort.lua -r ~/pcaps/maccdc2012_00000.pcap -l /var/log/snort -s 65535 -k none -q Error Messages Seen at console (multiple errors of each type): - lua detector odp_client_ZenVPN.lua: error validating /usr/local/lib/odp/libs/DetectorCommon.lua:190: attempt to index global 'gDetector' (a nil value) - lua detector odp_service_tftp.lua: error validating /usr/local/lib/odp/lua/service_tftp.lua:151: attempt to call global 'checkPattern' (a nil value) i have the following rules enabled: all rules from snort3-community rules (un-commented all rules), along with builtin rules snort.lua (relevant bits): appid = { app_detector_dir = '/usr/local/lib', log_stats = true, } ips = { enable_builtin_rules = true, include = RULE_PATH .. '/ips.include', } (note that ips.include contains references to the snort3-community.rules with all rules enabled, as well as my local.rules file with 2 simple rules). alert_json is enabled in snort.lua as well. note that snort runs fine, and generates alerts to the correct alert_json.txt file, it just shows all these errors as well. //---------------------------------------------------------------------------------------------------------------------- 2. if no log directory specified, but a file output plugin is enabled, no logs are written. This is a small bug, if you run snort with a file output enabled in your snort.lua (csv or json for example), but forget to add -l /var/log/snort to the command line, then logs aren't written. Not a big error, but it would probably be good for snort to detect and report this as an error, since that's probably what people are trying to do. //---------------------------------------------------------------------------------------------------------------------- 3. File output naming process. i reported this issue before, and i want to make sure it doesn't slip through the cracks. Snort currently writes alerts to a file, then renames the file to include the unixtime when rolling over to a new file (alert_json.txt becomes alert_json.txt.nnnnnnnnnn). This causes problems with log-parsing tools (splunk and ELK) because they can not (should not) index the original filename (without the unixtime), since they may only partially process it before snort renames it (leading to missing events). The solution is to tell these tools to watch for files that have the unixtime portion of the filename (ignnoring the original file until it's renamed and static), but you have to wait for the file to roll-over and be renamed, which for a large file size could take some time. You can't tell these tools to watch for both the original file as well as the renamed file, because you'll get duplicated events. The solution is for snort to write all files with the unixtime component, and not re-name the files. These tools can watch these files, and will process new events without any issues. I have written a Splunk plugin (TA) that ingests json data and makes it CIM compliant, but I am waiting for the JSON filename issue to be resolved before i release it, since that just complicates things. //---------------------------------------------------------------------------------------------------------------------- 4. Warnings with OpenAppID When enabling OpenAppID with --warn-all, there are a number of warnings shown. for example: sudo snort -c /usr/local/etc/snort/snort.lua --warn-all a sample of the output (lots of 'appid: no entry' errors): WARNING: appid: no lua detectors found in directory '/usr/local/lib/custom/lua/*' WARNING: appid: no entry in appMapping.data for 4130 WARNING: appid: no entry in appMapping.data for 4115 WARNING: appid: no entry for 4543 in appMapping.data; no rule support for this ID. WARNING: appid: no entry in appMapping.data for 4543 WARNING: appid: no entry in appMapping.data for 434 WARNING: appid: no entry in appMapping.data for 437 WARNING: appid: no entry in appMapping.data for 437 WARNING: appid: no entry in appMapping.data for 3396 WARNING: appid: no entry in appMapping.data for 3396 WARNING: appid: no entry in appMapping.data for 513 WARNING: appid: no entry in appMapping.data for 513 WARNING: appid: no entry in appMapping.data for 2313 WARNING: appid: no entry in appMapping.data for 2313 WARNING: appid: no entry in appMapping.data for 90 WARNING: appid: no entry in appMapping.data for 90 WARNING: appid: no entry for 4126 in appMapping.data; no rule support for this ID. WARNING: appid: no entry in appMapping.data for 4126 WARNING: appid: no entry for 2634 in appMapping.data; no rule support for this ID. WARNING: appid: no entry in appMapping.data for 2634 WARNING: appid: no entry for 4075 in appMapping.data; no rule support for this ID. WARNING: appid: no entry in appMapping.data for 4075 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 290 warnings). o")~ Snort exiting Except for the minor errors above, everything seems to be working really well. Thanks, Noah
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Four snort3 b250 issues Noah Dietrich (Dec 12)
- Re: Four snort3 b250 issues Masud Hasan (mashasan) via Snort-devel (Dec 14)