snort-devel July 2008 archive
Main Archive Page > Month Archives  > snort-devel archives
snort-devel: Re: [Snort-devel] Snort 2.8.2.1 Now Available

Re: [Snort-devel] Snort 2.8.2.1 Now Available

From: Todd Wease <twease_at_nospam>
Date: Mon Jul 28 2008 - 18:55:21 GMT
To: christian mock <cm@coretec.at>


Hi Christian,

The problem is that the pass rules don't have an sid associated with each. What is actually happening is that the first pass rule is being registered with Snort, but the rest are not (the count in the startup output doesn't account for this failure). This is because the hash table used to store the rules uses a gid/sid pair as the hash key. Rules without an sid are effectively given an sid of 0 for processing so when an attempt to insert another pass rule (without an sid) into the hash table is done, it returns that we already have an entry in the table and it doesn't get inserted. The bug here is that Snort is _not_ checking the return value and not warning the user about the failure. We are planning to fix this in the 2.8.3 release and will fatal error on this condition.

Just add unique sids to your pass rules and things should work as expected (let us know if they don't). Thanks again for posting the problem.

Todd

christian mock wrote:
> On Wed, Jul 23, 2008 at 01:13:31PM -0400, Steven Sturges wrote:
>
>> Can you send us relevant parts of your configuration?
>
> see below.
>
>> How are your prioritizing rules? Priority? Use of >> -o flag (or other command-line switches)?
>
> I have no special priority setting, and tried both "-o" (until I discovered
> it is disabled in the source) and "config order: pass alert log". syslog
> says the ordering settings are applied (e.g. "Rule application order:
> activation->dynamic->pass->drop->alert->log ").
>
>> When you say "pass rules in front", what do you mean?
>
> I'm using the following rules:
>
> pass udp $HOME_NET any -> $HOME_NET 161
> pass icmp 62.116.68.33/32 any -> $HOME_NET any
> pass icmp any any -> 62.116.68.35/32 any
> pass tcp 62.116.68.34/32 873 <> 62.116.68.38/32 any
> pass icmp 192.168.1.128 any -> any any
> pass udp any any -> 192.168.1.1 53
> alert icmp any any -> any any (msg:"ICMP"; sid:1234567; rev:1;)
> alert udp any any -> any 53 (msg:"DNS"; sid:1234568; rev:1;)
>
> I do a DNS lookup and a ping from 192.168.1.128 to 192.168.1.1, and I get:
>
> 07/24-12:04:39.037287 [**] [1:1234568:1] DNS [**] [Priority: 0] {UDP} 192.168.1.128:36850 -> 192.168.1.1:53
> 07/24-12:04:39.038440 [**] [1:1234567:1] ICMP [**] [Priority: 0] {ICMP} 192.168.1.128 -> 192.168.1.1
>
> Both should be passed by rules #5 and #6. When I delete rules #1-#4,
> it works as expected. When I reorder the rules, it also works:
>
> pass icmp 192.168.1.128 any -> any any
> pass udp any any -> 192.168.1.1 53
> pass udp $HOME_NET any -> $HOME_NET 161
> pass icmp 62.116.68.33/32 any -> $HOME_NET any
> pass icmp any any -> 62.116.68.35/32 any
> pass tcp 62.116.68.34/32 873 <> 62.116.68.38/32 any
> alert icmp any any -> any any (msg:"ICMP"; sid:1234567; rev:1;)
> alert udp any any -> any 53 (msg:"DNS"; sid:1234568; rev:1;)
>
> I attach the snort.conf I'm using which is derived from the distributed
> version with the necessary adaptations.
>
> Let me know if I can help with more info,
>
> cm.
>
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel



This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel