Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 38 replies
  • Subscribers 0 subscribers
  • Views 11263 views
  • Users 0 members are here
Options
Suggested

[7.920][BUG][FIXED] IPS stuck in a loop and won't stop loading.

Billybob
Just adding some information on my condition. Its obvious that IPS is broken in this version. My IPS keeps on trying to reload although its turned off via webadmin. I did turn it on initially and had lost connectivity but now it just keeps on running. 

Tried /var/mdw/scripts/snort stop and get done but in IPS log I can see where it is constantly reloading
A few snippets
2010:06:02-15:34:54 gatekeeper snort[9055]: Enabling inline operation

2010:06:02-15:34:54 gatekeeper snort[9055]: NFQUEUE ID set to: 0

2010:06:02-15:34:54 gatekeeper snort[9055]: Running in IDS mode

2010:06:02-15:34:54 gatekeeper snort[9055]: 

2010:06:02-15:34:54 gatekeeper snort[9055]:         --== Initializing Snort ==--

2010:06:02-15:34:54 gatekeeper snort[9055]: Initializing Output Plugins!


and after a few more lines, I get 
2010:06:02-15:35:16 gatekeeper snort[9055]: WARNING: Invalid content option in shared object rule: gid:3, sid:13476 : Fast pattern offset and length cannot be greater than the length of the pattern.  Rule will not be registered.

2010:06:02-15:35:16 gatekeeper snort[9055]: WARNING: gid:3, sid:15470. Fast pattern "only" flag used in combination with a fast pattern offset,length - honoring "only" flag and ignoring fast pattern offset,length.

and it continues on. I however never loose connectivity luckily [;)] Will probably reboot.

Regards
Parents Reply Children
  • 0 in reply to kbr
    Didn't work for me.
    ( This is system After patch install downloaded 06/06/) 

    [7.920After Patch from 7.912 with IPS and FW non functional]
    loginuser@roxy73:/home/login > su
    Password: 
    roxy73:/home/login # patterndist ips
    cp: cannot stat `/var/up2date/ips/u2d-ips-*.tgz.gpg': No such file or directory
    ips_pattern_update returned 'u2d-ips-7-174:1275302692'
    roxy73:/home/login # 


    [After Fresh rebuild from ISO and logged in as root] 
    loginuser@roxy73:/home/login > patterndist ips
    cp: cannot create regular file `/var/pattern/tmp/snortgroups.ph': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/snortrules.ph': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/snortrules_reporting.ph': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/snortrules_reporting.pst': Permission denied
    mv: cannot stat `/var/pattern/tmp/*': No such file or directory
    cp: cannot create regular file `/var/pattern/tmp/decoder.rules': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/preprocessor.rules': Permission denied
    mv: cannot stat `/var/pattern/tmp/*': No such file or directory
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/bad-traffic.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/chat.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/dos.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/exploit.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/icmp.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/imap.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/misc.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/multimedia.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/netbios.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/nntp.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/pop3.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/smtp.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/sql.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/web-activex.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/web-client.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/web-iis.so': Permission denied
    rm: cannot remove `/var/sec/chroot-snort/usr/lib/snort/so_rules/web-misc.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/bad-traffic.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/chat.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/dos.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/exploit.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/icmp.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/imap.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/misc.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/multimedia.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/netbios.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/nntp.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/pop3.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/smtp.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/sql.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/web-activex.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/web-client.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/web-iis.so': Permission denied
    cp: cannot create regular file `/var/pattern/tmp/web-misc.so': Permission denied
    mv: cannot stat `/var/pattern/tmp/*': No such file or directory
    /usr/local/bin/patterndist: line 209: /usr/local/bin/confd-client.plx: Permission denied
    loginuser@roxy73:/home/login >
  • 0 in reply to Mark_D_01
    You don't have to patch if you rebuilt from ISO. It should work by itself.
  • 0 in reply to Billybob
    Perfect,


    Solution worked for me
    Regards
    Filip
  • 0 in reply to Mark_D_01
    Didn't work for me. ...

    After rebuild 
    loginuser@roxy73:/home/login > patterndist ips
    [ lots of error messages ]


    Seems like, after the rebuild, you forgot to get the necessary priviledges (you didn't enter the  '[FONT="Courier New"]su[/FONT]' command).

    btw: we fixed that update, so if you still have a 7.912 running, if you now run the up2date to lift your machine to 7.920, the [FONT="Courier New"]patterndist ips[/FONT] command will be run automatically and your machine will not fall into the ips pit.
  • 0 in reply to kbr
    FYI
    I received notification that the update had downloaded again (ie 2nd time), before I ran the Up2date process.
    Hoping that this update would fix this issue (as indicated in your post) as I have another box that I have is also testing V8.
    The capture in the previous post I left out the su from the capture only.
    Mark
  • 0 in reply to Mark_D_01
    The capture in the previous post I left out the su from the capture only.


    The line:
    [FONT="Courier New"]

    loginuser@roxy73:/home/login > patterndist ips

    [/FONT]
    indicates that you were still a 'loginuser' when running the command. The command will only work if you are root. That's why i mentioned it.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?