pfSense Gold Subscription

Author Topic: Host Attribute Table  (Read 277 times)

0 Members and 1 Guest are viewing this topic.

Offline Beerman

  • Jr. Member
  • **
  • Posts: 85
  • Karma: +0/-0
    • View Profile
Host Attribute Table
« on: August 12, 2017, 05:21:54 pm »
Hi,

I cannot activate the "Host Attribute Table" in the "Preprocessors and Flow" menu.

I always get the same error:

Quote
php-fpm[8446]: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 49222 -D -l /var/log/snort/snort_re0_vlan40049222 --pid-path /var/run --nolock-pidfile -G 49222 -c /usr/local/etc/snort/snort_49222_re0_vlan400/snort.conf -i re0_vlan400' returned exit code '1', the output was ''

snort[58728]: FATAL ERROR: /usr/local/etc/snort/snort_49222_re0_vlan400/snort.conf(307) ==> failed to load attribute table from /usr/local/etc/snort/snort_49222_re0_vlan400/host_attributes

snort[58728]: /usr/local/etc/snort/snort_49222_re0_vlan400/snort.conf(307) ==> Invalid Attribute Table specification: '/usr/local/etc/snort/snort_49222_re0_vlan400/host_attributes'. Please verify the grammar at or near line 0 (tag '<SNORT_ATTRIBUTES>').

But I also tried, the "official" example from the Snort Documentation. (--> https://www.snort.org/documents/1  on Page 170)

Same Error...  :(

My mistake? Someone can help me?

Thx!

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3032
  • Karma: +788/-0
    • View Profile
Re: Host Attribute Table
« Reply #1 on: August 16, 2017, 09:19:22 am »
Did you by chance create or upload your Host Attribute table from a Windows machine?  Snort might be getting tripped up on the DOS line endings (CR/LF) versus the typical UNIX line endings (LF only).

It's been quite some time since I've looked at or tested that code in Snort, but that also means nothing really should have changed there either since it has not been touched.  I know it worked when the feature was first introduced.  I might still have the old Host Attribute table file I tested with.  If so I can test it again in a VM.

Bill

Offline Beerman

  • Jr. Member
  • **
  • Posts: 85
  • Karma: +0/-0
    • View Profile
Re: Host Attribute Table
« Reply #2 on: August 16, 2017, 03:47:44 pm »
Thx, for reply!

I just tested again, with the example from the snort documentation.

Here the example, I tried:

Code: [Select]
<SNORT_ATTRIBUTES>
<ATTRIBUTE_MAP>
<ENTRY>
<ID>1</ID>
<VALUE>Linux</VALUE>
</ENTRY>
<ENTRY>
<ID>2</ID>
<VALUE>ssh</VALUE>
</ENTRY>
</ATTRIBUTE_MAP>
<ATTRIBUTE_TABLE>
<HOST>
<IP>192.168.1.234</IP>
<OPERATING_SYSTEM>
<NAME>
<ATTRIBUTE_ID>1</ATTRIBUTE_ID>
<CONFIDENCE>100</CONFIDENCE>
</NAME>
<VENDOR>
<ATTRIBUTE_VALUE>Red Hat</ATTRIBUTE_VALUE>
<CONFIDENCE>99</CONFIDENCE>
</VENDOR>
<VERSION>
<ATTRIBUTE_VALUE>2.6</ATTRIBUTE_VALUE>
<CONFIDENCE>98</CONFIDENCE>
</VERSION>
<FRAG_POLICY>linux</FRAG_POLICY>
<STREAM_POLICY>linux</STREAM_POLICY>
</OPERATING_SYSTEM>
<SERVICES>
<SERVICE>
<PORT>
<ATTRIBUTE_VALUE>22</ATTRIBUTE_VALUE>
<CONFIDENCE>100</CONFIDENCE>
</PORT>
<IPPROTO>
<ATTRIBUTE_VALUE>tcp</ATTRIBUTE_VALUE>
<CONFIDENCE>100</CONFIDENCE>
</IPPROTO>
<PROTOCOL>
<ATTRIBUTE_ID>2</ATTRIBUTE_ID>
<CONFIDENCE>100</CONFIDENCE>
</PROTOCOL>
<APPLICATION>
<ATTRIBUTE_VALUE>OpenSSH</ATTRIBUTE_VALUE>
<CONFIDENCE>100</CONFIDENCE>
<VERSION>
<ATTRIBUTE_VALUE>3.9p1</ATTRIBUTE_VALUE>
<CONFIDENCE>93</CONFIDENCE>
</VERSION>
</APPLICATION>
</SERVICE>
<SERVICE>
<PORT>
<ATTRIBUTE_VALUE>2300</ATTRIBUTE_VALUE>
<CONFIDENCE>100</CONFIDENCE>
</PORT>
<IPPROTO>
<ATTRIBUTE_VALUE>tcp</ATTRIBUTE_VALUE>
<CONFIDENCE>100</CONFIDENCE>
</IPPROTO>
<PROTOCOL>
<ATTRIBUTE_VALUE>telnet</ATTRIBUTE_VALUE>
<CONFIDENCE>100</CONFIDENCE>
</PROTOCOL>
<APPLICATION>
<ATTRIBUTE_VALUE>telnet</ATTRIBUTE_VALUE>
<CONFIDENCE>50</CONFIDENCE>
</APPLICATION>
</SERVICE>
</SERVICES>
<CLIENTS>
<CLIENT>
<IPPROTO>
<ATTRIBUTE_VALUE>tcp</ATTRIBUTE_VALUE>
<CONFIDENCE>100</CONFIDENCE>
</IPPROTO>
<PROTOCOL>
<ATTRIBUTE_VALUE>http</ATTRIBUTE_VALUE>
<CONFIDENCE>91</CONFIDENCE>
</PROTOCOL>
<APPLICATION>
<ATTRIBUTE_VALUE>IE Http Browser</ATTRIBUTE_VALUE>
<CONFIDENCE>90</CONFIDENCE>
<VERSION>
<ATTRIBUTE_VALUE>6.0</ATTRIBUTE_VALUE>
<CONFIDENCE>89</CONFIDENCE>
</VERSION>
</APPLICATION>
</CLIENT>
</CLIENTS>
</HOST>
</ATTRIBUTE_TABLE>
</SNORT_ATTRIBUTES>

Yes, the upload was done with a windows machine, but I used "Notepad++" and converted the file to Unix(LF) format, before the upload to snort.  --> Same Error.  :(

Code: [Select]
Aug 16 22:37:53 snort[83947]: /usr/local/etc/snort/snort_49222_re0_vlan400/snort.conf(307) ==> Invalid Attribute Table specification: '/usr/local/etc/snort/snort_49222_re0_vlan400/host_attributes'. Please verify the grammar at or near line 0 (tag '<SNORT_ATTRIBUTES>').

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3032
  • Karma: +788/-0
    • View Profile
Re: Host Attribute Table
« Reply #3 on: August 16, 2017, 05:34:48 pm »
It looks OK.  Give me a little time to test this in a virtual machine.  Might be something that got inadvertently messed up way back with the Bootstrap conversion of the GUI code.  That was a lot of work done in a hurry, and some insiduous little bugs crept in.

Bill

Offline Beerman

  • Jr. Member
  • **
  • Posts: 85
  • Karma: +0/-0
    • View Profile
Re: Host Attribute Table
« Reply #4 on: August 17, 2017, 03:54:39 am »
OK, Thx!  :)

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3032
  • Karma: +788/-0
    • View Profile
Re: Host Attribute Table
« Reply #5 on: August 17, 2017, 08:03:06 pm »
This problem is officially kicking my butt ...  :'(.

I can't seem to find why it rejects the Host Attribute Table file.  I even used the one verbatim from the Snort documentation web site, and it still fails to load it.  Still scratching my head trying to find this bug ...

Bill

Offline Beerman

  • Jr. Member
  • **
  • Posts: 85
  • Karma: +0/-0
    • View Profile
Re: Host Attribute Table
« Reply #6 on: August 18, 2017, 12:14:24 am »
 :'(

Hmm... Compilation flag missing?

Quote
Note:   To use a host attribute table and service information, Snort must be configured with the -enable-targetbased flag.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3032
  • Karma: +788/-0
    • View Profile
Re: Host Attribute Table
« Reply #7 on: August 18, 2017, 11:57:52 am »
:'(

Hmm... Compilation flag missing?

Quote
Note:   To use a host attribute table and service information, Snort must be configured with the -enable-targetbased flag.

No, checked that first.  If that is not turned on, you get a different error about the feature not being recognized.  I made sure the line endings were UNIX -- no difference.  Tried several slightly different forms of the XML -- no difference.  I'm wondering if it is an issue within Snort itself.  Wonder if this feature is heavily used?  I will try spinning up a plain vanilla Linux machine and running just the Snort binary to see if it also chokes on the Host Attribute Table file.

Bill

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3032
  • Karma: +788/-0
    • View Profile
Re: Host Attribute Table
« Reply #8 on: August 22, 2017, 04:03:14 pm »
Still have not found the source of this Host Attribute Table validation error.  I went ahead and posted an update with other bug fixes because those needed to get out to users.  I will keep looking for the Host Attribute Table problem.

Bill

Offline Beerman

  • Jr. Member
  • **
  • Posts: 85
  • Karma: +0/-0
    • View Profile
Re: Host Attribute Table
« Reply #9 on: August 22, 2017, 05:43:09 pm »
Thank you, for your support!  :)