Bug #8206: Hosted Openappid rules - syntax error - pfSense - pfSense bugtracker

Actions

Copy link

Bug #8206

closed

Hosted Openappid rules - syntax error

Added by Lance Fogle over 6 years ago. Updated over 6 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Renato Botelho

Category:

Unknown

Target version:

Start date:

12/12/2017

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.4.2

Affected Architecture:

All

Description

There is currently no community knowledge of who the "volunteer maintainer" is for the file hosted at http://files.pfsense.org/openappid/appid_rules.tar.gz so I am hoping that someone can get this bug report information to that person responsible.

There are syntax errors in the rules (missing the closing ")" on several rules) which causes snort to fail to start until you manually chase down each one. I did the work identify and disable the troublesome rules so I could use the rest and so will share the details below on what rules to disable and what categories they belong to to save you guys some time until this is fixed.

The error produced is FATAL ERROR: /usr/local/etc/snort/snort_{0}_igb{0}/rules/snort.rules({0}) Rule options must be enclosed in '(' and ')'.

file_storage.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"scribd_upload";flow:from_client;appid:scribd_upload; sid:71443 ; classtype:misc-activity; rev:1
ads.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"inskin_media";flow:from_client;appid:inskin_media; sid:71780 ; classtype:misc-activity; rev:1;
network_protocol.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"cisco_sysmaint";flow:from_client;appid:cisco_sysmaint; sid:70052 ; classtype:misc-activity; rev:1;
social_networking.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"networker";flow:from_client;appid:networker; sid:71392 ; classtype:misc-activity; rev:1;
social_networking.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"sway";flow:from_client;appid:sway; sid:72795 ; classtype:misc-activity; rev:1;
streaming_media.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"crackle";flow:from_client;appid:crackle; sid:70785 ; classtype:misc-activity; rev:1;
webbrowser.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"epiphany";flow:from_client;appid:epiphany; sid:71186 ; classtype:misc-activity; rev:1;
web_services.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ensighten";flow:from_client;appid:ensighten; sid:71488 ; classtype:misc-activity; rev:1;

If someone knows where to file bug reports specifically for this hosted ruleset please let me know so they can be made aware and fix the errors.