Bug 110103 - snort basic rules missing >=2.4.x
|
Bug#:
110103
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: netmon@gentoo.org
|
Reported By: mark.conway@themobiusproject.com
|
|
Component: Ebuilds
|
|
|
URL:
|
|
Summary: snort basic rules missing >=2.4.x
|
|
Keywords:
|
|
Status Whiteboard:
|
|
Opened: 2005-10-21 22:57 0000
|
In snort 2.4.1, the base rules disappear causing snort to not start.
In 2.3.3-r1, snort rules were moved from /etc/snort to /etc/snort/rules for
housekeepings sake. Starting in 2.4.1, the base rules disappeared altogether.
I think this is because they were taken out of the main snort.tar.gz and put
into a seperate archive. There are different versions of the snort rules:
subscription release, registered user release, and unregistered user release
(which i think most of the gentoo userbase falls into). Because the base rules
were removed, snort refuses to start because the files that it is looking for in
/etc/snort/rules is missing. The easy fix for this is to add the archive for
the official snort ruleset (unregistered version of course) to the snort ebuild.
http://www.snort.org/pub-bin/downloads.cgi
Current Official Ruleset for Unregistered Users:
http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz
Reproducible: Always
Steps to Reproduce:
1. emerge -C snort
2. rm -r /etc/snort/ (to remove all rules for a clean install)
3. emerge >=net-analyzer/snort-2.4.1
Actually, looking at this a little bit further, i notice that i have just
duplicated a few files that should only exist in /etc/snort/ and not in
/etc/snort/rules/:
classification.config
gen-msg.map
reference.config
sid-msg.map
snort.conf
threshold.conf
unicode.map
These were in the snortrules-pr-2.4.tar.gz and thus moved to the rules folder
along with the base rules. The init script for snort uses /etc/snort/snort.conf
so removing the ./rules/snort.conf is safe.
Another quick thought is that /etc/snort/snort.conf should be chmod 640 because
there is a username/password to the database program.
I thought dragonheart / I fixed this in ~ a while back. Can you try snort 2.4.3
and let me know if its still a problem
$ tar -tf /usr/portage/packages/net-analyzer/snort-2.4.1.tbz2 | grep rules
./etc/snort/rules/
$ tar -tf /usr/portage/packages/net-analyzer/snort-2.4.1-r1.tbz2 | grep rules
./etc/snort/rules/
./etc/snort/rules/community-mail-client.rules
./etc/snort/rules/community-web-client.rules
./etc/snort/rules/community-virus.rules
./etc/snort/rules/community-misc.rules
./etc/snort/rules/community-web-dos.rules
./etc/snort/rules/sid-msg.map
./etc/snort/rules/community-web-cgi.rules
./etc/snort/rules/community-ftp.rules
./etc/snort/rules/community-exploit.rules
./etc/snort/rules/community-web-misc.rules
./etc/snort/rules/community-inappropriate.rules
./etc/snort/rules/community-game.rules
./etc/snort/rules/community-sql-injection.rules
$ tar -tf /usr/portage/packages/net-analyzer/snort-2.4.3.tbz2 | grep rules
./etc/snort/rules/
./etc/snort/rules/community-mail-client.rules
./etc/snort/rules/community-web-client.rules
./etc/snort/rules/community-virus.rules
./etc/snort/rules/community-misc.rules
./etc/snort/rules/community-web-dos.rules
./etc/snort/rules/sid-msg.map
./etc/snort/rules/community-web-cgi.rules
./etc/snort/rules/community-ftp.rules
./etc/snort/rules/community-exploit.rules
./etc/snort/rules/community-web-misc.rules
./etc/snort/rules/community-inappropriate.rules
./etc/snort/rules/community-game.rules
./etc/snort/rules/community-sql-injection.rules
The community rules have been installed, but the base rules are missing in all
of the 2.4.x builds.
theres no more base rules in snort AFAIK since they are selling them or am i
wrong?
i'm not following the problem. We include the community rules and that is all
you need to RUN snort. If you want more uptodate rules then go and get them. Are
you saying that you need more then the community rules that are shipped with
snort to get snort to run?
My apologies for being vague. I started this bug at about 2 in the morning
after trying to figure out why snort wasn't working for me and I knew what I was
talking about, though that aaparently didn't help me explain the problem any :)
I will try to start from the beginning this time so I don't miss anything.
On a gentoo system w/o Snort installed...
1. emerge =net-analyzer/snort-2.4.3
2. follow postinst instructions to make the snort mysql database
3. edit /etc/snort/snort.conf to access the mysql db
output database: log, mysql, user=root password=test dbname=db host=localhost
4. /etc/init.d/snort start
* Starting snort ... [ ok ]
5. ps x | grep snort
6648 pts/0 S+ 0:00 grep snort
(Snort isn't actually running at this point)
6. /etc/init.d/snort stop
* Stopping snort ...
start-stop-daemon: warning: failed to kill 6587: No such process [ !! ]
7. /etc/init.d/snort zap
* Manually resetting snort to stopped state. [ ok ]
8. snort -T -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf
(This is essentially the line that the init script uses to start snort except
I have replaced the -D [start daemon] with -T [test] to see what the problem is)
Running in Test mode with config file: /etc/snort/snort.conf
Running in IDS mode
...
ERROR: Unable to open rules file: /etc/snort/rules/local.rules or
/etc/snort//etc/snort/rules/local.rules
Fatal Error, Quitting..
9. Taking a look at the end of /etc/snort/snort.conf I see:
($RULE_PATH is defined as /etc/snort/rules earlier in the conf)
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be
# contained in this conf, but a separate conf makes it easier to maintain them.
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\etc\threshold.conf
# Uncomment if needed.
# include threshold.conf
-- These are all of the basic rules that are missing that stop snort from
starting. The community rules are great, but they are suppose to be in addition
to the basic rule set. The community rules aren't even being used, though,
because none of the config files accesses them.
I think that the basic rule set should be included into the snort ebuild so the
most basic of users can just install the ebuild and start snort. The /most/
basic set is freely availble from snort.org from the links that I provided
above. If the user is a registered user or a subscriber, then they should know
how to download the newer rule sets that they have access to. Because the basic
rule set for unregistered users only changes once every major release, this
shouldn't be any undue burden on the ebuild maintainers.
---
I think I have described the problem that I see in full now. But then again it
took me about 45 minutes to write this because my son keeps trying to get my
attention...
k the snort 2.4.3 should work after the emerge, i THOUGHT that dragonheart had
commited a fix to touch /etc/snort/rules/local.rules which is all that needs to
happen for snort to load up and work. I disagree that the basic rules should be
included but I agree that I should add a warning to indicate that the user
should go and get the appropriate ruleset. I'm not able to check now but if that
fix for the local.rules is not in cvs then I will fix it myself in 12 hours or
so when I am near one of my dev machines.
I installed snort 2.4.3 on another test box today. This box has never had
snort
on it. I tried your fix to:
$ touch /etc/snort/rules/local.rules
and then ran:
$ snort -T -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf
as I did before to test the config. Like before, the result was:
Running in Test mode with config file: /etc/snort/snort.conf
Running in IDS mode
...
ERROR: Unable to open rules file: /etc/snort/rules/bad-traffic.rules or
/etc/snort//etc/snort/rules/bad-traffic.rules
Fatal Error, Quitting..
I then touched /etc/snort/rules/bad-traffic.rules and tried the test string
again which resulted in the same error for exploit.rules which leads me to
believe that either every file.rules in snort.conf needs to either be touched
or
commented out. This again doesn't fix the problem of the community rules not
being loaded due to these rules not existing in a config file anywhere.
Basic rules are back in snort-2.4.3-r1, so now it should work by default in new
installations.
Donald, thanks for your patch, but I don't think it will be necessary anymore
:-).
Thanks for reporting!
