Re: Four snort3 b250 issues

["Masud Hasan \(mashasan\) via Snort-devel" <snort-devel () lists snort org>]

Hi Noah,

Thanks for reporting those issues. We have a fix for the issue 1 and hopefully will release new ODP in January. We also 
plan to look at other issues you noted.

Thanks,
Masud

On Dec 12, 2018, at 2:09 PM, Noah Dietrich <noah_dietrich () 86penny org<mailto:noah_dietrich () 86penny org>> wrote:


Running the latest snort3 build 250, I have encountered the following four issues:
(Ubuntu 16 and 18, x64)

//----------------------------------------------------------------------------------------------------------------------
1.  Errors with odp_client_ZenVPN.lua and service_tftp.lua when scanning PCAP files with OpenAppID enabled.

Command Run:
sudo snort -c /usr/local/etc/snort/snort.lua -r ~/pcaps/maccdc2012_00000.pcap -l /var/log/snort -s 65535 -k none -q

Error Messages Seen at console (multiple errors of each type):
- lua detector odp_client_ZenVPN.lua: error validating /usr/local/lib/odp/libs/DetectorCommon.lua:190: attempt to index 
global 'gDetector' (a nil value)
- lua detector odp_service_tftp.lua: error validating /usr/local/lib/odp/lua/service_tftp.lua:151: attempt to call 
global 'checkPattern' (a nil value)

i have the following rules enabled: all rules from snort3-community rules (un-commented all rules), along with builtin 
rules
snort.lua (relevant bits):
appid =
{
    app_detector_dir = '/usr/local/lib',
    log_stats = true,
}
ips =
{
    enable_builtin_rules = true,
    include = RULE_PATH .. '/ips.include',
}

(note that ips.include contains references to the snort3-community.rules with all rules enabled, as well as my 
local.rules file with 2 simple rules).

alert_json is enabled in snort.lua as well. note that snort runs fine, and generates alerts to the correct 
alert_json.txt file, it just shows all these errors as well.


//----------------------------------------------------------------------------------------------------------------------
2.  if no log directory specified, but a file output plugin is enabled, no logs are written.

This is a small bug, if you run snort with a file output enabled in your snort.lua (csv or json for example), but 
forget to add -l /var/log/snort to the command line, then logs aren't written. Not a big error, but it would probably 
be good for snort to detect and report this as an error, since that's probably what people are trying to do.


//----------------------------------------------------------------------------------------------------------------------
3. File output naming process.

i reported this issue before, and i want to make sure it doesn't slip through the cracks.  Snort currently writes 
alerts to a file, then renames the file to include the unixtime when rolling over to a new file (alert_json.txt becomes 
alert_json.txt.nnnnnnnnnn).

This causes problems with log-parsing tools (splunk and ELK) because they can not (should not) index the original 
filename (without the unixtime), since they may only partially process it before snort renames it (leading to missing 
events).  The solution is to tell these tools to watch for files that have the unixtime portion of the filename 
(ignnoring the original file until it's renamed and static), but you have to wait for the file to roll-over and be 
renamed, which for a large file size could take some time.  You can't tell these tools to watch for both the original 
file as well as the renamed file, because you'll get duplicated events.

The solution is for snort to write all files with the unixtime component, and not re-name the files. These tools can 
watch these files, and will process new events without any issues.

I have written a Splunk plugin (TA) that ingests json data and makes it CIM compliant, but I am waiting for the JSON 
filename issue to be resolved before i release it, since that just complicates things.

//----------------------------------------------------------------------------------------------------------------------
4.  Warnings with OpenAppID

When enabling OpenAppID with --warn-all, there are a number of warnings shown. for example:
sudo snort -c /usr/local/etc/snort/snort.lua --warn-all

a sample of the output (lots of 'appid: no entry' errors):

WARNING: appid: no lua detectors found in directory '/usr/local/lib/custom/lua/*'
WARNING: appid: no entry in appMapping.data for 4130
WARNING: appid: no entry in appMapping.data for 4115
WARNING: appid: no entry for 4543 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 4543
WARNING: appid: no entry in appMapping.data for 434
WARNING: appid: no entry in appMapping.data for 437
WARNING: appid: no entry in appMapping.data for 437
WARNING: appid: no entry in appMapping.data for 3396
WARNING: appid: no entry in appMapping.data for 3396
WARNING: appid: no entry in appMapping.data for 513
WARNING: appid: no entry in appMapping.data for 513
WARNING: appid: no entry in appMapping.data for 2313
WARNING: appid: no entry in appMapping.data for 2313
WARNING: appid: no entry in appMapping.data for 90
WARNING: appid: no entry in appMapping.data for 90
WARNING: appid: no entry for 4126 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 4126
WARNING: appid: no entry for 2634 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 2634
WARNING: appid: no entry for 4075 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 4075
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 290 warnings).
o")~   Snort exiting


Except for the minor errors above, everything seems to be working really well.

Thanks,
Noah

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!