10759 – ids.cgi breaks line in SNORT rules files

Bug 10759 - ids.cgi breaks line in SNORT rules files

Summary: ids.cgi breaks line in SNORT rules files

Status:	CLOSED FIXED

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	unspecified Unspecified

Importance:	- Unknown - - Unknown -
Assignee:	Stefan Schantl
QA Contact:

URL:
Keywords:

Depends on:
Blocks:	SURICATA
	Show dependency tree / graph

Reported:	2015-03-01 12:36 UTC by Horace Michael (aka H&M)
Modified:	2019-05-20 18:44 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Horace Michael (aka H&M) 2015-03-01 12:36:56 UTC

Hi,

Using ids.cgi (Services -> Intrusion Detection) breaks the rule file by splitting some lines in 2 lines, and therefore the snort fails to start.

Actions to recreate the error: expand one rule group (emerging-current_events for example), uncheck the rules containing POODLE, save.

In /var/log/messages I saw snort generating a FATAL ERROR

FATAL ERROR: /etc/snort/rules/emerging-current_events.rules(1943) Bad pattern length!

At line 1943 in /etc/snort/rules/emerging-current_events.rules is this:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634";flow:established,to_client; file_data; flowbits:isset,OLE.WithFlash; content:"RegExp"; distance:0; content:""; distance:0;pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R";reference:cve,2013-0364; classtype:trojan-activity; sid:2016401; rev:3;)

Clearly the line 1943 is not the one I've unchecked in the Web Interface - the ones I've unchecked are containing POODLE!
The above line 1943 is actually part of the rule, the last part of a rule. The rule was split in 2 lines after using ids.cgi.

Also, other rules were split in 2, not only the one I gave as example.
 

More details in the forum: http://forum.ipfire.org/viewtopic.php?f=52&t=12475

Best regards,
H&M

Comment 1 Michael Tremer 2015-03-03 18:02:44 UTC

Stefan, could you please confirm if this is a bug?

Comment 2 Charles 2015-04-21 05:54:36 UTC

Could be related to: https://bugzilla.ipfire.org/show_bug.cgi?id=10770

Comment 3 Charles 2015-04-21 05:55:55 UTC

Could be related to: https://bugzilla.ipfire.org/show_bug.cgi?id=10791

Comment 4 Charles 2015-04-26 14:07:56 UTC

Has this been confirmed as a bug?

Comment 5 Charles 2015-04-26 14:28:08 UTC

Several bugs were reported with snort / ids before update 89.  Feedback has been provided and feedback needs to be received back if needed.

Any plans to move away from snort to something like suricata ?

http://suricata-ids.org/features/all-features/

Comment 6 Charles 2015-05-28 22:35:48 UTC

Any update to this and the other snort/ids bugs?  Was hoping it would be fixed in Core Update 90.

Comment 7 Peter Müller 2017-10-23 22:57:46 UTC

Is this still up to date? Experiencing some issues with Snort here, but I am not sure if this might be related.

Comment 8 Stefan Schantl 2018-08-30 10:52:06 UTC

Fixed during the movement from snort to suricata.