Snort mailing list archives
Config parsing issue with a poor config section
From: Daniel Einspanjer <deinspanjer () gmail com>
Date: Thu, 21 May 2015 16:17:01 -0400
I¹m running Snort 2.9.7.2 installed on a pfSense 2.2.2 router by the pfSense package manager. I was having a problem where I was unable to start the Snort interface when I enabled the AppID preprocessor. I was getting the following error: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_51424_igb1/snort.conf(407) => Value specified for memcap is out of bounds. Please specify an integer between 1 and 4095. I kept looking at the memcap value for AppID but couldn¹t find anything wrong. While grepping the source, I eventually looked for the constant 4095 and discovered that it was only used in the reputation preprocessor. When I looked at the config for reputation, I found the problem. I had enabled the reputation preprocessor, but I had not specified any whitelist or blacklist files. Hence, the config that pfsense wrote out for me looked like this: # IP Reputation preprocessor # preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ white unblack, \ # Snort Output Logs # output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id ,classification,priority 500K Note that the reputation section ends with a line continuation character. When I tried to enable the AppID preprocessor, the config looked like this: # IP Reputation preprocessor # preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ white unblack, \ # AppID preprocessor # preprocessor appid: \ app_detector_dir /usr/pbi/snort-amd64/etc/snort/appid, \ memcap 268435456, \ app_stats_filename app-stats.log, \ app_stats_period 300, \ app_stats_rollover_size 1024000, \ app_stats_rollover_time 86400 # Snort Output Logs # output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id ,classification,priority 500K So, for some reason, this config caused the validation of the reputation preprocessor¹s memcap setting to fail. I am going to report the bug to pfSense as well since they need to avoid writing out the config file in this way, but I was hoping someone here might be able to take a look at the config parsing code and see if there is a fix to make it better able to handle or avoid the situation as well. Thank you for your time. -Daniel ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Config parsing issue with a poor config section Daniel Einspanjer (May 21)
- Message not available
- Message not available
- Message not available
- Re: Config parsing issue with a poor config section Rahul Burman (rahburma) (May 25)
- Message not available
- Message not available