Endian 2.3 and Intrusion Detection/Prevention

[Guest]

[danodemano]

I have been having this problem and can't seem to figure out what's going on.  I cannot get the Intrusion prevention to start, it just wont.  I keep messing with it and as soon as I fetch the rules, it dies.  A look in the "messages" log usually shows something like this:

Code:

Oct  4 14:57:40 gateway snort[28084]: FATAL ERROR: Warning: /etc/snort/processed.rules(7064) => Unknown keyword ' http_h*ader' in rule!

But if I go in to the rule and try to fix that line, as soon as I restart the Intrusion prevention is just overwrites my file regardless if I have auto update turned on or not.  I presume this is the reason I cannot start the Intrusion Prevention but I cannot figure out how to fix it.  If I disable the "fetch update rules automatically" it will start up however the processed.rules file is empty save a header that says

Code:

# created by restartsnort -> process_rules

so I suspect that it doesn't have any rules?  Anyone have any thoughts on this?
Thanks,
Dan

[StephanSch]

On a short watch at the 2.3 some days ago I think I have seen that you can enable/disable rules on the webinterface now.

[danodemano]

Wow....I feel stupid now.  I remember reading that myself now that you mention it.  As it turns out, the offending rule was:

Code:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC WordPress plug-in ial path disclosure"; flow:established,to_server; uricontent:"/wp-content/plugins/"; nocase; content:!"|0d 0a|Referer|3a 20|"; nocase; http_er; cltype:attempted-recon; reference:url,seclists.org/fulldisclosure/2009/Sep/0387.html; reference:url,doc.emergingthreats.net/2009996; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wordpress; sid:2009996; rev:3;)

In the emerging-web_specific_apps.rules file.
Thanks!!

[Halfwalker]

Hrm - my 2.3rc1 is a little different.  Intrusion Detection appears to start OK, and updates the rules OK.  At least, it says it did.  The Dashboard however, that shows that Intrusion Detection is OFF.  I disabled the rule mentioned above, but no go.

So, which is it ?  On or off ?  There don't appear to be any logs for it.

D.

<Edit>  I take it back.  Now the Dashboard is showing it as on, so it appears to be working fine.  I guess there a small delay before status was updated.

danodemano - how did you work out the offending rule that was causing the trouble ?

[danodemano]

LOL, it was not easy at all.  I looked in the messages log and found what was causing the problem in the processed.rules file but since this is generated off the rules in another folder, I still didn't know where it was.  What I ended up doing was SCPing ALL the rules files down, opening them all in notepad++, and searching for the http_header mentioned in the error.  It turned up in only one file.  Once I found which file it was in, I got the SID and went into the Endian admin and searched for it in the rules file that I had found it in.  It too turned up only a single hit so I disabled it and all was well!

[mrkroket]

Related to this:
http://bugs.endian.it/view.php?id=2227

It seems that if we update Snort it will renew the offending rule.

[danodemano]

Yes, it appears to be a bad rule coming down the pipe.  This is why I have not updated my rules.