Snort mailing list archives
Re: Snort Failing While Reading Rules File
From: "Patrick Mullen \(pamullen\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 3 Oct 2019 16:18:25 +0000
Rules with "ET" in the name are from emerging threats, not us. They continue to use threshold instead of detection_filter despite it being deprecated for years. But that doesn't explain the weird condition you're experiencing. Can you paste the contents of sid 2018361 in an email and send it to me, please? Thanks, Patrick ________________________________ From: Jim Campbell <jim () w4bqp net> Sent: Thursday, October 3, 2019 12:02:47 PM To: Patrick Mullen (pamullen) <pamullen () cisco com> Cc: Snort-users <snort-users () lists snort org> Subject: Re: [Snort-users] Snort Failing While Reading Rules File Patrick, I'll attempt to answer your questions as best I can. First the ruleset I'm using: =================== Checking latest MD5 for snortrules-snapshot-29141.tar.gz.... They Match Done! Checking latest MD5 for community-rules.tar.gz.... They Match Done! IP Blacklist download of https://talosintelligence.com/documents/ip-blacklist.... Reading IP List... Checking latest MD5 for opensource.gz.... They Match Done! Checking latest MD5 for emerging.rules.tar.gz.... No Match Done Rules tarball download of emerging.rules.tar.gz.... They Match Done! Prepping rules from opensource.gz for work.... Done! Prepping rules from emerging.rules.tar.gz for work.... Done! Prepping rules from snortrules-snapshot-29141.tar.gz for work.... Done! Prepping rules from community-rules.tar.gz for work.... Done! Reading rules... ====================== Since the locations in the rules file move around, I'll tell you which sid was at line 2478 in my rules file from yesterday. sid:2018361 Next, from a saved copy of snort.rules from yesterday when this was occurring, looking for "threshold" reject tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; flow:to_server,established; content:"?action=getData&servicePort="; http_uri; content:"Java/"; http_header; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.sensepost.com/labs/tools/pentest/reduh<http://www.sensepost.com/labs/tools/pentest/reduh>; reference:url,doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Rather than giving you the entire rule, I'll give you the sids for the remaining. 2015993 2404000 ... Gave up looking at 240419. It seemed that every rule in that range used "threshold". =============== Fast forward to today. I enabled sids 120:7 and 129:5 in my disablesid file. I re-ran pulledpork to make use of those sids. I restarted snort and it ran with no errors. The snort.conf file still has numerous occurrences of the token "threshold". Something changed for good. Thanks for your attention. Jim On 10/2/2019 11:54 PM, Patrick Mullen (pamullen) wrote: Jim, What external ruleset(s) are you running? We shouldn't be publishing any rules using threshold for a very long time. What is the content of the rule on line 2478, the one throwing the error "/etc/snort/rules/snort.rules(2478) Flowbits: Invalid token noreject"? Unfortunately, I'm going on vacation until Monday, but what I can tell you is that recently we enabled a bunch of preprocessor alerts in the max detect policy, which is probably why you are seeing new alerts there. I don't know what the two alerts you apparently narrowed your problems down to (120:7 and 129:5) but I suspect it's a bit of a red herring given those other errors and warnings you mentioned, which is why I'm trying to get a better idea of your environment. Thanks, Patrick From: Jim Campbell via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org> Date: October 2, 2019 at 20:41:10 EDT To: Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org> Subject: [Snort-users] Snort Failing While Reading Rules File Reply-To: Jim Campbell <jim () w4bqp net><mailto:jim () w4bqp net> I'm running Snort inline as an IPS system. I upgraded Snort to 2.9.14.1 just over a week ago. Once it was running, with the same disablesid.conf I was using before the update I began receiving a lot of alerts that I hadn't been receiving before. The sids were 120:5, 120:7, 120:8, 129:5, 129:18, 129:20 and 142:2. I gradually began adding the sids giving the most alerts to the disablesid.conf file. Each time I update the disablesid.conf file I run pulledpork and restart snort. This morning I added 120:7 and 129:5 to the disablesid.conf file. Snort was running just fine until I updated my rules file. After the update I restarted Snort as I usually do. While reading the rules file snort failed. Here are the messages I received: WARNING: /etc/snort/rules/snort.rules(756) threshold (in rule) is depreciated; use detection_filter instead. ERROR: /etc/snort/rules/snort.rules(2478) Flowbits: Invalid token noreject. I realize the first message isn't an error, I just included it for context. I commented out this rule and restarted Snort. I received an error on a different pair of rules. Commented out that pair of rules, same results. I downloaded the rules again, same results. After some experimenting I learned that if I remove sids 120:7 and 129:5 from the disablesid.conf file, re-run pulledpork and restart snort it no longer fails. Jim Campbell _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort Failing While Reading Rules File Jim Campbell via Snort-users (Oct 02)
- Message not available
- Re: Snort Failing While Reading Rules File Patrick Mullen (pamullen) via Snort-users (Oct 02)
- Re: Snort Failing While Reading Rules File Jim Campbell via Snort-users (Oct 03)
- Re: Snort Failing While Reading Rules File Patrick Mullen (pamullen) via Snort-users (Oct 03)
- Re: Snort Failing While Reading Rules File Patrick Mullen (pamullen) via Snort-users (Oct 02)
- Message not available