PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0000849PacketFencepublic2009-11-12 13:522011-01-26 15:43
Reporterobilodeau 
Assigned Toobilodeau 
PriorityhighSeverityminorReproducibilitysometimes
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
fixed in git revision
fixed in mtn revision
Summary0000849: snort default config syntax error
DescriptionOur default snort config uses the flow preprocessor. According to snort's changelog its not there since 2008-10-03 which would be something like 2.8.x.

stream5 would be a contender to replace the flow preprocessor.

We would need to fix our default template.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2009-11-12 13:52obilodeauNew Issue
2009-11-12 13:52obilodeauStatusnew => assigned
2009-11-12 13:52obilodeauAssigned To => obilodeau
2009-11-13 10:16obilodeauNote Added: 0001397
2009-11-13 14:10obilodeauSummarysnort doesn't support flow preprocessor => snort default config syntax error
2009-11-17 16:47obilodeauNote Added: 0001404
2009-11-19 14:45obilodeauNote Added: 0001407
2009-11-19 14:45obilodeauStatusassigned => resolved
2009-11-19 14:45obilodeauResolutionopen => fixed
2011-01-26 15:43obilodeauStatusresolved => closed

Notes
(0001397)
obilodeau   
2009-11-13 10:16   
It seems that although flow is not listed in snort's preprocessors, it is still accepted as a valid preprocessor.

The problem is not there. It's more about the parameters. Here's the fix, change:

> - from: preprocessor flow: memcap 262144000, stats_interval 0, hash 2
> - to: preprocessor flow: memcap 262144000 stats_interval 0 hash 2

in conf/templates/snort.conf

I would need to test that in the lab.
(0001404)
obilodeau   
2009-11-17 16:47   
following the above comment guideline does get you further, however, as soon as pfdetect hooks on the var/alert file then snort issues a fatal error:
[root@pf-dev pf]# /usr/sbin/snort -u pf -c /usr/local/pf/conf/snort.conf -i eth1 -N -l /usr/local/pf/var

Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/pf/conf/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
PortVar 'SHELLCODE_PORTS' defined :  [ any ]
Tagged Packet Limit: 256
Log directory = /usr/local/pf/var
PerfMonitor config:
    Time:           600 seconds
    Flow Stats:     ACTIVE
    Event Stats:    INACTIVE
    Max Perf Stats: ACTIVE
    Console Mode:   INACTIVE
    File Mode:      /usr/local/pf/logs/snortstat
    SnortFile Mode: INACTIVE
    Packet Count:   90000
    Dump Summary:   No
    Max file size:  2147483648
ERROR: /usr/local/pf/conf/snort.conf(25) Unknown preprocessor: "flow".
Fatal Error, Quitting..
(0001407)
obilodeau   
2009-11-19 14:45   
took default preprocessors from /etc/snort/snort.conf

fixed in 1.8 branch: http://mtn.inverse.ca/revision/info/4035cca68326bfae23143f7b9eb036233d3bf6fa [^]
will be ported to 1.9

a test case has been added to check for that behavior also (pfdetect stops after tailing the snort pipe)