Forums

Resolved
0 votes
I do experience snort failure after rules update 16 may.

disable this 9 rules get it running again

include $RULE_PATH/clearcenter/dns.rules
include $RULE_PATH/clearcenter/exploit.rules
include $RULE_PATH/clearcenter/ftp.rules
include $RULE_PATH/clearcenter/netbios.rules
include $RULE_PATH/clearcenter/pop3.rules
include $RULE_PATH/clearcenter/scan.rules
include $RULE_PATH/clearcenter/shellcode.rules
include $RULE_PATH/clearcenter/smtp.rules
include $RULE_PATH/clearcenter/sql.rules
Thursday, June 06 2013, 05:55 PM
Share this post:
Responses (11)
  • Accepted Answer

    Friday, June 07 2013, 05:17 PM - #Permalink
    Resolved
    0 votes
    Okay updated to 2.9.0.7-1.1.v6. The problems seems to be solved.

    I saw that i also received a update today of the snort-gpl-rules but that was after that i installed 2.9.0.7-1.1.v6. So i'm not sure if that update solve the problems.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 07 2013, 03:36 PM - #Permalink
    Resolved
    0 votes
    Odd.
    # rpm -qa | grep snort
    snort-2.9.0.4-3.v6.x86_64
    snort-gpl-rules-2.9.0.5-1.1.v6.noarch


    .... or perhaps not so odd as 2.9.0.6 has been withdrawn (do a "yum list snort-gpl-rules --enablerepo=*") and 2.9.0.7 is now available in clearos-test. Up to you if you go forward or back. I'd make sure you only selectively update from clearos-test. It is normally disabled by default.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 07 2013, 02:46 PM - #Permalink
    Resolved
    0 votes
    Hi Tim.

    I have nothing installed from the clears test repo. This is a fresh install of ClearOS of two days old.

    output of rpm -q snort-gpl-rules


    snort-gpl-rules-2.9.0.6-1.1.v6.noarch


    grep snort /var/log/yum.log


    Jun 04 18:01:59 Installed: snort-2.9.0.4-3.v6.x86_64
    Jun 04 18:02:01 Installed: snort-gpl-rules-2.9.0.5-1.1.v6.noarch
    Jun 05 03:12:29 Updated: snort-gpl-rules-2.9.0.6-1.1.v6.noarch
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 07 2013, 01:18 PM - #Permalink
    Resolved
    0 votes
    what's the output of 'rpm -q snort-gpl-rules' and 'grep snort /var/log/yum.log'

    The only new package I can see is in clearos-test repo (which should be disabled unless you know what you're doing). These packages are built automatically from upstream and proivided to the dev's before consumption by users.

    Simply remove snort-gpl-rules, disable the clearos-test repo and reinstall would be the best way forward
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 07 2013, 11:10 AM - #Permalink
    Resolved
    0 votes
    Someone who is paying for these updates needs to raise a support ticket with ClearCenter. You may just be able to stop using the DNS rules. Otherwise from the error message it looks like a lot of rules numbers have been duplicated. All the duplicates need to be removed from /etc/snort.d/rules/gpl/dns.rules. I don't subscribe to the updates so I can't check.

    [edit]
    These aren't subscribed rules. They are the GPL ones. I'll have to check my system when I get home later.

    Can someone file an urgent bug? I won't be able to until tonight or tomorrow.
    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 06 2013, 09:21 PM - #Permalink
    Resolved
    0 votes
    no snort error in messages log. After increaseing rate limiting in rsyslog i got som info.


    Jun  6 23:09:27 gateway snort[30702]: +++++++++++++++++++++++++++++++++++++++++++++++++++
    Jun 6 23:09:27 gateway snort[30702]: Initializing rule chains...
    Jun 6 23:09:27 gateway snort[30702]: WARNING /etc/snort.d/rules/clearcenter/botcc.rules(2) threshold (in rule) is deprecated; use detection_filter instead.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(130) GID 1 SID 2100258 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(136) GID 1 SID 2100261 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(142) GID 1 SID 2101435 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(145) GID 1 SID 2100257 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(160) GID 1 SID 2100256 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(163) GID 1 SID 2100252 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(166) GID 1 SID 2101616 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(169) GID 1 SID 2101948 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(184) GID 1 SID 2011911 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(187) GID 1 SID 2012826 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(190) GID 1 SID 2012900 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(197) GID 1 SID 2012903 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(200) GID 1 SID 2012956 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(203) GID 1 SID 2013016 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(206) GID 1 SID 2013124 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(209) GID 1 SID 2013172 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(212) GID 1 SID 2013847 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(215) GID 1 SID 2013848 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(218) GID 1 SID 2013849 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(221) GID 1 SID 2013850 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(224) GID 1 SID 2013851 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(227) GID 1 SID 2013852 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(230) GID 1 SID 2013853 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(233) GID 1 SID 2013854 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(236) GID 1 SID 2013855 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(239) GID 1 SID 2013856 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(242) GID 1 SID 2013857 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(245) GID 1 SID 2013858 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(248) GID 1 SID 2013859 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(251) GID 1 SID 2013860 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(254) GID 1 SID 2013861 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(257) GID 1 SID 2013862 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(260) GID 1 SID 2013970 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(263) GID 1 SID 2014285 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(266) GID 1 SID 2014701 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(269) GID 1 SID 2014702 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(272) GID 1 SID 2014703 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(277) GID 1 SID 2016413 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(280) GID 1 SID 2016418 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(283) GID 1 SID 2016419 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(286) GID 1 SID 2016420 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(289) GID 1 SID 2016421 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(292) GID 1 SID 2016422 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(295) GID 1 SID 2016423 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: WARNING /etc/snort.d/rules/gpl/dns.rules(298) GID 1 SID 2016569 in rule duplicates previous rule. Ignoring old rule.#012
    Jun 6 23:09:29 gateway snort[30702]: FATAL ERROR: /etc/snort.d/rules/gpl/dns.rules(298) threshold (in rule): could not create threshold - only one per sig_id=2016569.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 06 2013, 08:47 PM - #Permalink
    Resolved
    0 votes
    Good idea but it have to wait till tomorrow evening.., off to bed. Thanks.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 06 2013, 08:37 PM - #Permalink
    Resolved
    0 votes
    It might be large but the failing rule will appear right at the end of the part where snort is loading. Just do a "service snort start" and look at the end of the file when it fails. Or just do a "grep snort /var/log/messages". When it finishes scrolling by you will have the failing rule or error message on the screen.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 06 2013, 08:19 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    Your right, it's 9 set of rules. Is there a faster way to find the falling rule then examining /var/log/messages? My /var/log/messages is large.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 06 2013, 08:01 PM - #Permalink
    Resolved
    0 votes
    That is not 9 rules, it is 9 sets of rules! I don't think you want to do that. Have a look in /var/log/messages and you should be able to find the failing rule. There will be a message. Note the rule number - possibly with sid in front of it. Then, if for example the failing rule is 2608, do something like:
    grep sid:2068 /etc/snort.d/rules -r
    This will tell you which file the rule is in. Edit the file and disable the line by putting a # in front of it then start snort again.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 06 2013, 07:14 PM - #Permalink
    Resolved
    0 votes
    hmm, just check my system and i have the same issue. I have disabled the 9 rules. It's working again. I've checked yesterday IDS/IPS was working!
    The reply is currently minimized Show
Your Reply