Re: Modifying Rules Works One Direction, but Not T'Other

[Doug Burks <doug.burks () gmail com>]

What specific anomalies are you referring to?  I see some
classification.config warnings and a Barnyard error (which is normal
since Barnyard is only updating a database table and not processing
any actual unified2 data).  I'm not seeing any critical problems
there.

I'm pretty sure we've gone beyond the scope of this Snort mailing list
and should move this conversation to the Security Onion mailing list.
As I mentioned previously, you don't have to have a Google account:

You should also be able to use our Google Group as a standard mailing
list just like this Snort mailing list.  Send email to
security-onion () googlegroups com from your existing non-Google email
account you're using here.  You'll receive replies at the same
non-Google email account.  At that point, it's really no different
than using this Snort mailing list.

On Sat, Nov 29, 2014 at 3:04 PM, colony.three
<colony.three () protonmail ch> wrote:
> As well, I'm seeing some anomolies when running rule-update.  I just took it
> as growing-pains, but maybe this is not normal.  I've had to reinstall
> SecurityOnion at least 7 times for various reasons, and it's always behaved
> in the ways I've described in this thread.
>
> # rule-update
> Backing up current local_rules.xml file.
> Cleaning up local_rules.xml backup files older than 30 days.
> Backing up current downloaded.rules file before it gets overwritten.
> Cleaning up downloaded.rules backup files older than 30 days.
> Backing up current local.rules file before it gets overwritten.
> Cleaning up local.rules backup files older than 30 days.
> Running PulledPork.
>     http://code.google.com/p/pulledpork/
>       _____ ____
>      `----,\    )
>       `--==\\  /    PulledPork v0.7.0 - Swine Flu!
>        `--==\\/
>      .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
>   @_/        /  66\_  cummingsj () gmail com
>     |    \   \   _(")
>      \   /-| ||'--'  Rules give me wings!
>       \_\  \_\\
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Checking latest MD5 for emerging.rules.tar.gz....
>     They Match
>     Done!
> Prepping rules from emerging.rules.tar.gz for work....
>     Done!
> Reading rules...
> Generating Stub Rules....
>     An error occurred: WARNING: classification.config(9) Duplicate
> classification "default-login-attempt"found, ignoring this line
>     An error occurred: WARNING: classification.config(20) Duplicate
> classification "non-standard-protocol"found, ignoring this line
>     An error occurred: WARNING: classification.config(27) Duplicate
> classification "shellcode-detect"found, ignoring this line
>     An error occurred: WARNING: classification.config(29) Duplicate
> classification "string-detect"found, ignoring this line
>     An error occurred: WARNING: classification.config(36) Duplicate
> classification "suspicious-filename-detect"found, ignoring this line
>     An error occurred: WARNING: classification.config(38) Duplicate
> classification "suspicious-login"found, ignoring this line
>     An error occurred: WARNING: classification.config(40) Duplicate
> classification "system-call-detect"found, ignoring this line
>     An error occurred: WARNING: classification.config(42) Duplicate
> classification "tcp-connection"found, ignoring this line
>     An error occurred: WARNING: classification.config(44) Duplicate
> classification "trojan-activity"found, ignoring this line
>     An error occurred: WARNING: classification.config(48) Duplicate
> classification "unusual-client-port-connection"found, ignoring this line
>     An error occurred: WARNING: classification.config(50) Duplicate
> classification "web-application-activity"found, ignoring this line
>     An error occurred: WARNING: No dynamic libraries found in directory
> /usr/local/lib/snort_dynamicrules.
>     Done
> Reading rules...
> Reading rules...
> Modifying Sids....
>     Done!
> Processing /etc/nsm/pulledpork/enablesid.conf....
>     Modified 0 rules
>     Done
> Processing /etc/nsm/pulledpork/dropsid.conf....
>     Modified 0 rules
>     Done
> Processing /etc/nsm/pulledpork/disablesid.conf....
>     Modified 17 rules
>     Done
> Setting Flowbit State....
>     Enabled 37 flowbits
>     Done
> Writing /etc/nsm/rules/downloaded.rules....
>     Done
> Generating sid-msg.map....
>     Done
> Writing v1 /etc/nsm/rules/sid-msg.map....
>     Done
> Writing /var/log/nsm/sid_changes.log....
>     Done
> Rule Stats...
>     New:-------0
>     Deleted:---0
>     Enabled Rules:----16740
>     Dropped Rules:----0
>     Disabled Rules:---3867
>     Total Rules:------20607
> No IP Blacklist Changes
> Done
> Please review /var/log/nsm/sid_changes.log for additional details
> Fly Piggy Fly!
>
> Updating Snorby's sig_reference table
>
> Running in Continuous mode
>
>         --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> Parsing config file "/etc/nsm/barnyard2-snorby/barnyard2.conf"
> : Duplicate classification "default-login-attempt"found, ignoring this line
> : Duplicate classification "non-standard-protocol"found, ignoring this line
> : Duplicate classification "shellcode-detect"found, ignoring this line
> : Duplicate classification "string-detect"found, ignoring this line
> : Duplicate classification "suspicious-filename-detect"found, ignoring this
> line
> : Duplicate classification "suspicious-login"found, ignoring this line
> : Duplicate classification "system-call-detect"found, ignoring this line
> : Duplicate classification "tcp-connection"found, ignoring this line
> : Duplicate classification "trojan-activity"found, ignoring this line
> : Duplicate classification "unusual-client-port-connection"found, ignoring
> this line
> : Duplicate classification "web-application-activity"found, ignoring this
> line
>
>
> +[ Signature Suppress list ]+
> ----------------------------
> +[No entry in Signature Suppress List]+
> ----------------------------
> +[ Signature Suppress list ]+
>
> WARNING: Ignoring bad line in SID file: 'v1'
> Barnyard2 spooler: Event cache size set to [2048]
> Log directory = /etc/nsm/barnyard2-snorby
> INFO database: Defaulting Reconnect/Transaction Error limit to 10
> INFO database: Defaulting Reconnect sleep time to 5 second
> [SignatureReferencePullDataStore()]: No Reference found in database ...
> database: compiled support for (mysql)
> database: configured to use mysql
> database: schema version = 107
> database:           host = 127.0.0.1
> database:           user = root
> database:  database name = snorby
> database:    sensor name = hydra:NULL
> database:      sensor id = 1
> database:     sensor cid = 9
> database:  data encoding = hex
> database:   detail level = full
> database:     ignore_bpf = no
> database: using the "alert" facility
>
>         --== Initialization Complete ==--
>
>   ______   -*> Barnyard2 <*-
>  / ,,_  \  Version 2.1.13 (Build 333) TCL
>  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
>  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com>
>
> ERROR: Unable to open directory '' (No such file or directory)
> ERROR: Unable to find the next spool file!
> ===============================================================================
> Record Totals:
>    Records:           0
>    Events:           0 (0.000%)
>    Packets:           0 (0.000%)
>    Unknown:           0 (0.000%)
>    Suppressed:           0 (0.000%)
> ===============================================================================
> Packet breakdown by protocol (includes rebuilt packets):
>       ETH: 0          (0.000%)
>   ETHdisc: 0          (0.000%)
>      VLAN: 0          (0.000%)
>      IPV6: 0          (0.000%)
>   IP6 EXT: 0          (0.000%)
>   IP6opts: 0          (0.000%)
>   IP6disc: 0          (0.000%)
>       IP4: 0          (0.000%)
>   IP4disc: 0          (0.000%)
>     TCP 6: 0          (0.000%)
>     UDP 6: 0          (0.000%)
>     ICMP6: 0          (0.000%)
>   ICMP-IP: 0          (0.000%)
>       TCP: 0          (0.000%)
>       UDP: 0          (0.000%)
>      ICMP: 0          (0.000%)
>   TCPdisc: 0          (0.000%)
>   UDPdisc: 0          (0.000%)
>   ICMPdis: 0          (0.000%)
>      FRAG: 0          (0.000%)
>    FRAG 6: 0          (0.000%)
>       ARP: 0          (0.000%)
>     EAPOL: 0          (0.000%)
>   ETHLOOP: 0          (0.000%)
>       IPX: 0          (0.000%)
>     OTHER: 0          (0.000%)
>   DISCARD: 0          (0.000%)
> InvChkSum: 0          (0.000%)
>    S5 G 1: 0          (0.000%)
>    S5 G 2: 0          (0.000%)
>     Total: 0
> ===============================================================================
> Restarting Barnyard2.
> Restarting: hydra-eth0
>   * stopping: barnyard2-1 (spooler, unified2 format)
> [  OK  ]
>   * starting: barnyard2-1 (spooler, unified2 format)
> [  OK  ]
> Restarting IDS Engine.
> Restarting: hydra-eth0
>   * stopping: snort-1 (alert data)
> [  OK  ]
>   * starting: snort-1 (alert data)



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!