Snort mailing list archives

Re: Snort Failing While Reading Rules File

From: "Patrick Mullen \(pamullen\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 3 Oct 2019 16:18:25 +0000

Rules with "ET" in the name are from emerging threats, not us. They continue to use threshold instead of 
detection_filter despite it being deprecated for years. But that doesn't explain the weird condition you're 
experiencing.

Can you paste the contents of sid 2018361 in an email and send it to me, please?


Thanks,

Patrick


________________________________
From: Jim Campbell <jim () w4bqp net>
Sent: Thursday, October 3, 2019 12:02:47 PM
To: Patrick Mullen (pamullen) <pamullen () cisco com>
Cc: Snort-users <snort-users () lists snort org>
Subject: Re: [Snort-users] Snort Failing While Reading Rules File

Patrick,

I'll attempt to answer your questions as best I can. First the ruleset I'm using:
===================
Checking latest MD5 for snortrules-snapshot-29141.tar.gz....
    They Match
    Done!
Checking latest MD5 for community-rules.tar.gz....
    They Match
    Done!
IP Blacklist download of https://talosintelligence.com/documents/ip-blacklist....
Reading IP List...
Checking latest MD5 for opensource.gz....
    They Match
    Done!
Checking latest MD5 for emerging.rules.tar.gz....
    No Match
    Done
Rules tarball download of emerging.rules.tar.gz....
    They Match
    Done!
Prepping rules from opensource.gz for work....
    Done!
Prepping rules from emerging.rules.tar.gz for work....
    Done!
Prepping rules from snortrules-snapshot-29141.tar.gz for work....
    Done!
Prepping rules from community-rules.tar.gz for work....
    Done!
Reading rules...
======================
Since the  locations in the rules file move around, I'll tell you which sid was at line 2478 in my rules file from 
yesterday.
sid:2018361

Next, from a saved copy of snort.rules from yesterday when this was occurring, looking for "threshold"

reject tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; 
flow:to_server,established; content:"?action=getData&servicePort="; http_uri; content:"Java/"; http_header; 
threshold:type limit, track by_src, count 1, seconds 300; 
reference:url,www.sensepost.com/labs/tools/pentest/reduh<http://www.sensepost.com/labs/tools/pentest/reduh>; 
reference:url,doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668; rev:6; metadata:created_at 
2010_07_30, updated_at 2010_07_30;)

Rather than giving you the entire rule, I'll give you the sids for the remaining.
2015993
2404000
...
Gave up looking at 240419. It seemed that every rule in that range used "threshold".

===============

Fast forward to today. I enabled sids 120:7 and 129:5 in my disablesid file. I re-ran pulledpork to make use of those 
sids. I restarted snort and it ran with no errors. The snort.conf file still has numerous occurrences of the token 
"threshold".

Something changed for good. Thanks for your attention.

Jim



On 10/2/2019 11:54 PM, Patrick Mullen (pamullen) wrote:
Jim,

What external ruleset(s) are you running? We shouldn't be publishing any rules using threshold for a very long time.

What is the content of the rule on line 2478, the one throwing the error "/etc/snort/rules/snort.rules(2478) Flowbits: 
Invalid token noreject"?

Unfortunately, I'm going on vacation until Monday, but what I can tell you is that recently we enabled a bunch of 
preprocessor alerts in the max detect policy, which is probably why you are seeing new alerts there. I don't know what 
the two alerts you apparently narrowed your problems down to (120:7 and 129:5) but I suspect it's a bit of a red 
herring given those other errors and warnings you mentioned, which is why I'm trying to get a better idea of your 
environment.


Thanks,

Patrick


From: Jim Campbell via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org>
Date: October 2, 2019 at 20:41:10 EDT
To: Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org>
Subject: [Snort-users] Snort Failing While Reading Rules File
Reply-To: Jim Campbell <jim () w4bqp net><mailto:jim () w4bqp net>

I'm running Snort inline as an IPS system.

I upgraded Snort to 2.9.14.1 just over a week ago. Once it was running, with the same disablesid.conf I was using 
before the update I began receiving a lot of alerts that I hadn't been receiving before. The sids were 120:5, 120:7, 
120:8, 129:5, 129:18, 129:20 and 142:2.

I gradually began adding the sids giving the most alerts to the disablesid.conf file. Each time I update the 
disablesid.conf file I run pulledpork and restart snort.

This morning I added 120:7 and 129:5 to the disablesid.conf file.

Snort was running just fine until I updated my rules file. After the update I restarted Snort as I usually do. While 
reading the rules file snort failed. Here are the messages I received:

WARNING: /etc/snort/rules/snort.rules(756) threshold (in rule) is depreciated; use detection_filter instead.
ERROR: /etc/snort/rules/snort.rules(2478) Flowbits: Invalid token noreject.

I realize the first message isn't an error, I just included it for context.

I commented out this rule and restarted Snort. I received an error on a different pair of rules. Commented out that 
pair of rules, same results.

I downloaded the rules again, same results.

After some experimenting I learned that if I remove sids 120:7 and 129:5 from the disablesid.conf file, re-run 
pulledpork and restart snort it no longer fails.

Jim Campbell

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

   To unsubscribe, send an email to:
   snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Snort Failing While Reading Rules File Jim Campbell via Snort-users (Oct 02)
- Message not available
  - Re: Snort Failing While Reading Rules File Patrick Mullen (pamullen) via Snort-users (Oct 02)
    - Re: Snort Failing While Reading Rules File Jim Campbell via Snort-users (Oct 03)
    - Re: Snort Failing While Reading Rules File Patrick Mullen (pamullen) via Snort-users (Oct 03)