Snort mailing list archives
RE: Snort rules touble.
From: Jason Gauthier <jgauthier () lastar com>
Date: Fri, 21 Jun 2002 14:01:14 -0400
Since my original mailing I recieved several other email asking what I downloaded, what I was using, I'm mixing version, etc. Let me clarify: Orignally I downloaded and installed snort-1.8.6, and it's rules. Compiled, and installed. Snort didn't with with the following command: /opt/snort/bin/snort -dev -l /opt/snort/logs/ -c /opt/snort/etc/snort.conf So, i deleted it, and tried current. This is where I ran into the problem I posted. Taking your advices to heart, as I am relatively new to the product, I began again. The following is what I have just done with snort-1.8.6: rm -r /opt/snort configured, compiled, installed snort into /opt/snort. made the following directories: /opt/snort/etc /opt/snort/logs /opt/snort/rules move all rules from snortrules.tar.gz to /opt/gnome/rules. copied snort.conf and classifications.conf to /opt/gnome/etc Edited snort.conf Canged my HOME_NET and RULE_PATH, along with uncommenting the commented out rules. Ran the following command: /opt/snort/bin/snort -dev -l /opt/snort/logs/ -c /opt/snort/etc/snort.conf Receive the following error: [!] ERROR /opt/snort/rules/web-cgi.rules(8) => Bad port number: "(msg:"WEB-CGI" Which happens to be the same error I ran into the first time I ran snort. I commented out line #8, which is the first line of the rule. Then I get the same error with line #9. (As I was suspecting) So, i tied to remove web-cgi. The next rule in the list web-coldfusion spits out an error. I remove coldfusion... The next rule in the list web-iis spits out an error. At this point, I'm back here. Any ideas? Again: snort 1.8.6, with snortrules.tar.gz Straight from the snort website. (The rules dates today)
-----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Friday, June 21, 2002 1:11 PM To: Jason Gauthier; snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort rules touble. It would sound like you are trying to use rules which are for snort-current (aka: development version) on a snort which is snort 1.8.6. Either that or you are using a "rule management" tool (I forget the name.. hogwash was it?) that has a default behavior of uncommenting all the rules before it runs. There's a command line switch to stop that. Any rule with the word "flow" in it is not intended for snort 1.8.6 or earlier, but 1.8.6's ruleset has a few with that keyword in it, which are commented out in the files. Try re-extracting your rules files from the snort 1.8.6 source tarball and not running them through any tools. At 12:21 PM 6/21/2002 -0400, Jason Gauthier wrote:Greetings- I just installed snort, so I'm a completely new user. I'vebeen reading manydocuments about set up, configs, etc. I realize snort is acomplicatedpiece of software. Anyway, I compiled and installed snort without issue. I extracted the rules, read the documentation on how to start it. I edit asnort.conf, andwas ready to go. I executed: /opt/snort/bin/snort -dev -l /opt/snort/logs -c/opt/snort/etc/snort.confStarts up and the errors out: ERROR /opt/snort/rules/bad-traffic.rules(19) => Bad protocolname ">134"Eh, Not too bad. So i read some more, and then edit the rule. I decide to comment it out, so I can fix it later, for now, Iwould like toget snort running. Immediately follows: ERROR: /opt/snort/rules/exploit.rules(7) => Unknown keyword"flow" in rule!So, i check out this rule file and notice they all have"flow" in them.I now decide something is completely wrong :) This is "current", as I had the same problems with the ruleswith 1.8.6.Appreciate any insight.
------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rules touble. Jason Gauthier (Jun 21)
- Re: Snort rules touble. Ryan Russell (Jun 21)
- Re: Snort rules touble. Matt Kettler (Jun 21)
- <Possible follow-ups>
- RE: Snort rules touble. Slighter, Tim (Jun 21)
- RE: Snort rules touble. Jason Gauthier (Jun 21)
- RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Jason Gauthier (Jun 21)
- RE: Snort rules touble. Matt Kettler (Jun 21)
- RE: Snort rules touble. Slighter, Tim (Jun 21)
- RE: Snort rules touble. Slighter, Tim (Jun 21)
- RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Andreas Östling (Jun 21)
- RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Slighter, Tim (Jun 21)
- RE: Snort rules touble. Erek Adams (Jun 21)