Bug #8206
closedHosted Openappid rules - syntax error
100%
Description
There is currently no community knowledge of who the "volunteer maintainer" is for the file hosted at http://files.pfsense.org/openappid/appid_rules.tar.gz so I am hoping that someone can get this bug report information to that person responsible.
There are syntax errors in the rules (missing the closing ")" on several rules) which causes snort to fail to start until you manually chase down each one. I did the work identify and disable the troublesome rules so I could use the rest and so will share the details below on what rules to disable and what categories they belong to to save you guys some time until this is fixed.
The error produced is FATAL ERROR: /usr/local/etc/snort/snort_{0}_igb{0}/rules/snort.rules({0}) Rule options must be enclosed in '(' and ')'.
file_storage.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"scribd_upload";flow:from_client;appid:scribd_upload; sid:71443 ; classtype:misc-activity; rev:1
ads.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"inskin_media";flow:from_client;appid:inskin_media; sid:71780 ; classtype:misc-activity; rev:1;
network_protocol.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"cisco_sysmaint";flow:from_client;appid:cisco_sysmaint; sid:70052 ; classtype:misc-activity; rev:1;
social_networking.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"networker";flow:from_client;appid:networker; sid:71392 ; classtype:misc-activity; rev:1;
social_networking.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"sway";flow:from_client;appid:sway; sid:72795 ; classtype:misc-activity; rev:1;
streaming_media.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"crackle";flow:from_client;appid:crackle; sid:70785 ; classtype:misc-activity; rev:1;
webbrowser.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"epiphany";flow:from_client;appid:epiphany; sid:71186 ; classtype:misc-activity; rev:1;
web_services.rules >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ensighten";flow:from_client;appid:ensighten; sid:71488 ; classtype:misc-activity; rev:1;
If someone knows where to file bug reports specifically for this hosted ruleset please let me know so they can be made aware and fix the errors.