Snort local rules not updated
653 views
Skip to first unread message
shreyak chakraborty
Apr 7, 2017, 8:20:47 AM4/7/17
to security-onion
I wrote a snort rule and saved in the /etc/nsm/rules/local.rules file
But after I run the rule-update command, no alert is generated in Sguil based on that rule.It was working when I first installed Security Onion.
Here is my rule:
alert tcp any any -> any any (content:"facebook.com"; msg:"Facebook is being used!!";sid:100001;)
This is the output of the rule-update command:
Fri Apr 7 10:55:30 IST 2017
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 624.
Use of uninitialized value $rule in pattern match (m//) at /usr/bin/pulledpork.pl line 625.
Use of uninitialized value $rule in pattern match (m//) at /usr/bin/pulledpork.pl line 628.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 632.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 634.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 624.
Use of uninitialized value $rule in pattern match (m//) at /usr/bin/pulledpork.pl line 625.
Use of uninitialized value $rule in pattern match (m//) at /usr/bin/pulledpork.pl line 628.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 632.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 634.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 624.
Use of uninitialized value $rule in pattern match (m//) at /usr/bin/pulledpork.pl line 625.
Use of uninitialized value $rule in pattern match (m//) at /usr/bin/pulledpork.pl line 628.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 632.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 634.
Use of uninitialized value in pattern match (m//) at /usr/bin/pulledpork.pl line 1316.
Use of uninitialized value in pattern match (m//) at /usr/bin/pulledpork.pl line 1316.
Use of uninitialized value $msg_holder in pattern match (m//) at /usr/bin/pulledpork.pl line 1370.
Use of uninitialized value $msg_holder in pattern match (m//) at /usr/bin/pulledpork.pl line 1399.
https://github.com/shirkdog/pulledpork
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.3 - Making signature updates great again!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2016 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
An error occurred: WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Setting Flowbit State....
Enabled 89 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------1
Deleted:---1
Enabled Rules:----21105
Dropped Rules:----0
Disabled Rules:---4300
Total Rules:------25405
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: vidyatech-eth1
* stopping: barnyard2-1 (spooler, unified2 format) [ OK ]
* starting: barnyard2-1 (spooler, unified2 format) [ OK ]
Restarting IDS Engine.
Restarting: vidyatech-eth1
* stopping: snort-1 (alert data) [ OK ]
* starting: snort-1 (alert data) [ OK ]
[2]+ Done
What am I doing wrong?
But after I run the rule-update command, no alert is generated in Sguil based on that rule.It was working when I first installed Security Onion.
Here is my rule:
alert tcp any any -> any any (content:"facebook.com"; msg:"Facebook is being used!!";sid:100001;)
This is the output of the rule-update command:
Fri Apr 7 10:55:30 IST 2017
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 624.
Use of uninitialized value $rule in pattern match (m//) at /usr/bin/pulledpork.pl line 625.
Use of uninitialized value $rule in pattern match (m//) at /usr/bin/pulledpork.pl line 628.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 632.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 634.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 624.
Use of uninitialized value $rule in pattern match (m//) at /usr/bin/pulledpork.pl line 625.
Use of uninitialized value $rule in pattern match (m//) at /usr/bin/pulledpork.pl line 628.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 632.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 634.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 624.
Use of uninitialized value $rule in pattern match (m//) at /usr/bin/pulledpork.pl line 625.
Use of uninitialized value $rule in pattern match (m//) at /usr/bin/pulledpork.pl line 628.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 632.
Use of uninitialized value $sid in hash element at /usr/bin/pulledpork.pl line 634.
Use of uninitialized value in pattern match (m//) at /usr/bin/pulledpork.pl line 1316.
Use of uninitialized value in pattern match (m//) at /usr/bin/pulledpork.pl line 1316.
Use of uninitialized value $msg_holder in pattern match (m//) at /usr/bin/pulledpork.pl line 1370.
Use of uninitialized value $msg_holder in pattern match (m//) at /usr/bin/pulledpork.pl line 1399.
https://github.com/shirkdog/pulledpork
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.3 - Making signature updates great again!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2016 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
An error occurred: WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Setting Flowbit State....
Enabled 89 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------1
Deleted:---1
Enabled Rules:----21105
Dropped Rules:----0
Disabled Rules:---4300
Total Rules:------25405
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: vidyatech-eth1
* stopping: barnyard2-1 (spooler, unified2 format) [ OK ]
* starting: barnyard2-1 (spooler, unified2 format) [ OK ]
Restarting IDS Engine.
Restarting: vidyatech-eth1
* stopping: snort-1 (alert data) [ OK ]
* starting: snort-1 (alert data) [ OK ]
[2]+ Done
What am I doing wrong?
Doug Burks
Apr 7, 2017, 8:43:23 AM4/7/17
to securit...@googlegroups.com
Hi shreyak,
I copied your rule into a test VM and was able to duplicate your
PulledPork errors. I then added a space before sid:100001, re-ran
rule-update, and it worked properly.
So please try changing your rule from this:
to this:
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
I copied your rule into a test VM and was able to duplicate your
PulledPork errors. I then added a space before sid:100001, re-ran
rule-update, and it worked properly.
So please try changing your rule from this:
to this:
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Reply all
Reply to author
Forward
0 new messages