Bug 11169

Summary: Snort not loading preproc_rules
Product: IPFire Reporter: Jarred Casselton <help>
Component: ---Assignee: Assigned to nobody - feel free to grab it and work on it <nobody>
Status: CLOSED CANTFIX QA Contact:
Severity: Minor Usability    
Priority: Will affect an average number of users CC: itsuperhack, peter.mueller, stefan.schantl
Version: 2Keywords: Security
Hardware: all   
OS: All   
Bug Depends on:    
Bug Blocks: 11542    

Description Jarred Casselton 2016-08-25 19:50:12 UTC 
IPFire 2.19 (i586) - Core Update 104 (pre-release)
Registered Snort VRT Rules only.

snort config: /etc/snort/snort.conf
contains the directory for PREPROC (var PREPROC_RULE_PATH /etc/snort/preproc_rules)
but the include lines are not being generated.
running: snort -T -c /etc/snort/snort.conf
shows not loading anything, but rules:
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
28195 Snort rules read
    28195 detection rules
    0 decoder rules
    0 preprocessor rules
28195 Option Chains linked into 1240 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

adding the following lines to /etc/snort/snort.conf
include $PREPROC_RULE_PATH/sensitive-data.rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
allows the rules to load:
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
28617 Snort rules read
    28199 detection rules
    150 decoder rules
    268 preprocessor rules
28617 Option Chains linked into 1242 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


I believe these include line should be generated?

Also if there is a snort conf error, the WebUI shows no error (no indication of Snort start / reload failure.

Jarred
Comment 1 Jarred Casselton 2016-08-25 19:52:28 UTC 
Adding the lines manually, saving:
include $PREPROC_RULE_PATH/sensitive-data.rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules

Then going to the IDS WebUI causes the changes to be reset.
Comment 2 Jarred Casselton 2016-08-25 20:16:25 UTC 
The reason I found this issue was that Snort was not detecting port scans.
Tried increasing tweaking WebUI settings: Priority Level and rules enabled and adjusting (and adding): "preprocessor sfportscan: proto { all } memcap { 10000000 }  sense_level { hign } scan_type { all }"
- but no change.
Reverted changes made and checked the test readout 
found Preproc rules not loading - suspect this was the reason
Tested: even with PREPROC rules, snort is not detecting port scans (GRC Sheilds Up!) - unknown if this is a bug or a config issue.
Jarred
Comment 3 Jarred Casselton 2016-09-10 12:26:45 UTC 
Re-Tested: = with PREPROC rules, snort IS detecting port scans (GRC Sheilds Up!) 
found that in the IDS.cgi - its looks for any line with .rules in it.
so
I renamed the preproc rules files from .rules to .rule5
and inserted the following lines into snort.conf
include $PREPROC_RULE_PATH/sensitive-data.rule5
include $PREPROC_RULE_PATH/preprocessor.rule5
include $PREPROC_RULE_PATH/decoder.rule5

and all is well - looks like IDS.cgi needs to generate these lines
include $PREPROC_RULE_PATH/sensitive-data.rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules

I sidestep-ed the issue

Jarred
Comment 4 Jarred Casselton 2016-09-21 22:22:09 UTC 
IPFire version:	IPFire 2.19 (i586) - core104
Pakfire version:	2.19.1
Kernel version:	Linux cache 3.14.79-ipfire-pae #1 SMP Tue Sep 13 23:26:41 GMT 2016 i686 GNU/Linux

updated core104 to new version (had old pre version before)
- problem still exists
- my workaround still works.

http://fireinfo.ipfire.org/profile/9f4ede783cec8fc79de312d67a34508ca0c29472
Comment 5 Peter Müller 2017-11-08 16:20:29 UTC 
Since I do not use VRT rules here, this never occured to me.

Can you confirm this is still up to date?

(Currently working on snort issues, see: https://wiki.ipfire.org/devel/telco/2017-11-06)
Comment 6 Jarred Casselton 2017-11-09 00:00:33 UTC 
I need to update our ipfire on Friday (tomorrow) and check / let you know at the same time.
The problem still existed when I setup our new x64 ipfire - I think it was core 103
Comment 7 Jarred Casselton 2017-11-13 04:47:03 UTC 
testing now, sorry about delay
Comment 8 Jarred Casselton 2017-11-13 06:38:44 UTC 
I have confirmed that the include lines are still absent 
and the VRT rules don't extract the rule files into /etc/snort/so_rules/ and /etc/snort/preproc_rules/
its worth noting however, the Preproc and SO rules paths are defined as vars, ready for use

on x86_64 core 116

Missing from snort.conf : 
include $PREPROC_RULE_PATH/sensitive-data.rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
Comment 9 Peter Müller 2017-11-30 21:42:09 UTC 
Okay, thanks. I will have a look at it soon, sounds easy to fix (but we'll never know... :-) ).
Comment 10 Peter Müller 2018-07-11 18:19:20 UTC 
The preproc files are not present when using the ET ruleset.
Comment 11 Stefan Schantl 2018-08-30 10:55:38 UTC 
IPFire is going to drop snort as IDS and replace it by suricata.

There are no preproc rules at all, so this bug can be closed.