PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001600PacketFencescanningpublic2012-11-10 21:212013-10-09 09:49
Reporter_KaszpiR_ 
Assigned Tofrancis 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version3.6.0 
Target VersionFixed in Version 
fixed in git revision
fixed in mtn revision
Summary0001600: Debain snort missing emerging-attack_response.rules
DescriptionBy default packetfence does not come up with any rules.
This means the snort will always fail to start.
Steps To Reproduce
Additional InformationOutput of the packetfecne command without -D (deamonize)

root@packetfence:~# /usr/sbin/snort -u pf -c /usr/local/pf/var/conf/snort.conf -i eth1 -N -l /usr/local/pf/var --pid-path /usr/local/pf/var/run
Found pid path directive (/usr/local/pf/var/run)
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/pf/var/conf/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'ORACLE_PORTS' defined : [ 1521 ]
PortVar 'SHELLCODE_PORTS' defined : [ any ]
ERROR: Unable to open rules file "/usr/local/pf/var/conf//usr/local/pf/conf/snort/emerging-attack_response.rules": No such file or directory.
Fatal Error, Quitting..
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2012-11-10 21:21_KaszpiR_New Issue
2012-11-10 21:49_KaszpiR_Note Added: 0003273
2012-11-10 22:33_KaszpiR_Note Added: 0003274
2012-11-11 06:45fdurandNote Added: 0003275
2013-10-09 09:49francisStatusnew => closed
2013-10-09 09:49francisAssigned To => francis
2013-10-09 09:49francisResolutionopen => fixed

Notes
(0003273)
_KaszpiR_   
2012-11-10 21:49   
Looks like update_rules.pl was not ran in the installation process (weird?)
Would be nice if the snort service run that command on start.

Aditionally, looks like the generated path for the rules is bad , merged with other variable, or /var/run is prepended.
Dirty fix:
ln -s /usr/local/pf/conf/snort /usr/local/pf/var/conf/snort


After running update_rules.pl another issue - missing emerging-virus.rules

root@packetfence:/usr/local/pf/addons/snort# /usr/sbin/snort -u pf -c /usr/local/pf/var/conf/snort.conf -i eth1 -N -l /usr/local/pf/var --pid-path /usr/local/pf/var/run
Found pid path directive (/usr/local/pf/var/run)
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/pf/var/conf/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'ORACLE_PORTS' defined : [ 1521 ]
PortVar 'SHELLCODE_PORTS' defined : [ any ]
ERROR: Unable to open rules file "/usr/local/pf/var/conf//usr/local/pf/conf/snort/emerging-virus.rules": No such file or directory.
Fatal Error, Quitting..


So maybe violations.conf should be automatically updated with the list of available rules?
(0003274)
_KaszpiR_   
2012-11-10 22:33   
Hm still the snort asservice dies without giving any useful error message, whie short run from console does not want to go to backgrond.

Switched to suricata, no issues so far.
(0003275)
fdurand   
2012-11-11 06:45   
Since we use the new configurator, use /usr/local/pf/addons/snort/update_rules.pl to get the snort rules.