IPFire 2.19 (i586) - Core Update 104 (pre-release) Registered Snort VRT Rules only. snort config: /etc/snort/snort.conf contains the directory for PREPROC (var PREPROC_RULE_PATH /etc/snort/preproc_rules) but the include lines are not being generated. running: snort -T -c /etc/snort/snort.conf shows not loading anything, but rules: +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 28195 Snort rules read 28195 detection rules 0 decoder rules 0 preprocessor rules 28195 Option Chains linked into 1240 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ adding the following lines to /etc/snort/snort.conf include $PREPROC_RULE_PATH/sensitive-data.rules include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules allows the rules to load: +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 28617 Snort rules read 28199 detection rules 150 decoder rules 268 preprocessor rules 28617 Option Chains linked into 1242 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ I believe these include line should be generated? Also if there is a snort conf error, the WebUI shows no error (no indication of Snort start / reload failure. Jarred
Adding the lines manually, saving: include $PREPROC_RULE_PATH/sensitive-data.rules include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules Then going to the IDS WebUI causes the changes to be reset.
The reason I found this issue was that Snort was not detecting port scans. Tried increasing tweaking WebUI settings: Priority Level and rules enabled and adjusting (and adding): "preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { hign } scan_type { all }" - but no change. Reverted changes made and checked the test readout found Preproc rules not loading - suspect this was the reason Tested: even with PREPROC rules, snort is not detecting port scans (GRC Sheilds Up!) - unknown if this is a bug or a config issue. Jarred
Re-Tested: = with PREPROC rules, snort IS detecting port scans (GRC Sheilds Up!) found that in the IDS.cgi - its looks for any line with .rules in it. so I renamed the preproc rules files from .rules to .rule5 and inserted the following lines into snort.conf include $PREPROC_RULE_PATH/sensitive-data.rule5 include $PREPROC_RULE_PATH/preprocessor.rule5 include $PREPROC_RULE_PATH/decoder.rule5 and all is well - looks like IDS.cgi needs to generate these lines include $PREPROC_RULE_PATH/sensitive-data.rules include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules I sidestep-ed the issue Jarred
IPFire version: IPFire 2.19 (i586) - core104 Pakfire version: 2.19.1 Kernel version: Linux cache 3.14.79-ipfire-pae #1 SMP Tue Sep 13 23:26:41 GMT 2016 i686 GNU/Linux updated core104 to new version (had old pre version before) - problem still exists - my workaround still works. http://fireinfo.ipfire.org/profile/9f4ede783cec8fc79de312d67a34508ca0c29472
Since I do not use VRT rules here, this never occured to me. Can you confirm this is still up to date? (Currently working on snort issues, see: https://wiki.ipfire.org/devel/telco/2017-11-06)
I need to update our ipfire on Friday (tomorrow) and check / let you know at the same time. The problem still existed when I setup our new x64 ipfire - I think it was core 103
testing now, sorry about delay
I have confirmed that the include lines are still absent and the VRT rules don't extract the rule files into /etc/snort/so_rules/ and /etc/snort/preproc_rules/ its worth noting however, the Preproc and SO rules paths are defined as vars, ready for use on x86_64 core 116 Missing from snort.conf : include $PREPROC_RULE_PATH/sensitive-data.rules include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules
Okay, thanks. I will have a look at it soon, sounds easy to fix (but we'll never know... :-) ).
The preproc files are not present when using the ET ruleset.
IPFire is going to drop snort as IDS and replace it by suricata. There are no preproc rules at all, so this bug can be closed.