Snort mailing list archives
RE: Snort rules touble.
From: Jason Gauthier <jgauthier () lastar com>
Date: Fri, 21 Jun 2002 14:41:51 -0400
I understand now. The rules supplied separately have variables supplied for the ports. The rules supplied with the distribution have them staticly entered. Thanks a lot!
-----Original Message----- From: Slighter, Tim [mailto:tslighter () itc nrcs usda gov] Sent: Friday, June 21, 2002 2:36 PM To: 'Jason Gauthier'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort rules touble. Just like Matt Kettler said, and pretty sure he is right. You need to stick with the rules that come with the 1.86 build and NOT use the snortrules.tar.gz -----Original Message----- From: Jason Gauthier [mailto:jgauthier () lastar com] Sent: Friday, June 21, 2002 12:01 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort rules touble. Since my original mailing I recieved several other email asking what I downloaded, what I was using, I'm mixing version, etc. Let me clarify: Orignally I downloaded and installed snort-1.8.6, and it's rules. Compiled, and installed. Snort didn't with with the following command: /opt/snort/bin/snort -dev -l /opt/snort/logs/ -c /opt/snort/etc/snort.conf So, i deleted it, and tried current. This is where I ran into the problem I posted. Taking your advices to heart, as I am relatively new to the product, I began again. The following is what I have just done with snort-1.8.6: rm -r /opt/snort configured, compiled, installed snort into /opt/snort. made the following directories: /opt/snort/etc /opt/snort/logs /opt/snort/rules move all rules from snortrules.tar.gz to /opt/gnome/rules. copied snort.conf and classifications.conf to /opt/gnome/etc Edited snort.conf Canged my HOME_NET and RULE_PATH, along with uncommenting the commented out rules. Ran the following command: /opt/snort/bin/snort -dev -l /opt/snort/logs/ -c /opt/snort/etc/snort.conf Receive the following error: [!] ERROR /opt/snort/rules/web-cgi.rules(8) => Bad port number: "(msg:"WEB-CGI" Which happens to be the same error I ran into the first time I ran snort. I commented out line #8, which is the first line of the rule. Then I get the same error with line #9. (As I was suspecting) So, i tied to remove web-cgi. The next rule in the list web-coldfusion spits out an error. I remove coldfusion... The next rule in the list web-iis spits out an error. At this point, I'm back here. Any ideas? Again: snort 1.8.6, with snortrules.tar.gz Straight from the snort website. (The rules dates today)-----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Friday, June 21, 2002 1:11 PM To: Jason Gauthier; snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort rules touble. It would sound like you are trying to use rules which are for snort-current (aka: development version) on a snort which is snort 1.8.6. Either that or you are using a "rule management" tool (I forget the name.. hogwash was it?) that has a default behavior of uncommenting all the rules before it runs. There's a command line switch to stop that. Any rule with the word "flow" in it is not intended for snort1.8.6 orearlier, but 1.8.6's ruleset has a few with that keyword in it, which are commented out in the files. Try re-extracting your rules files from the snort 1.8.6 source tarball and not running them through any tools. At 12:21 PM 6/21/2002 -0400, Jason Gauthier wrote:Greetings- I just installed snort, so I'm a completely new user. I'vebeen reading manydocuments about set up, configs, etc. I realize snort is acomplicatedpiece of software. Anyway, I compiled and installed snort without issue. Iextracted therules, read the documentation on how to start it. I edit asnort.conf, andwas ready to go. I executed: /opt/snort/bin/snort -dev -l /opt/snort/logs -c/opt/snort/etc/snort.confStarts up and the errors out: ERROR /opt/snort/rules/bad-traffic.rules(19) => Bad protocolname ">134"Eh, Not too bad. So i read some more, and then edit the rule. I decide to comment it out, so I can fix it later, for now, Iwould like toget snort running. Immediately follows: ERROR: /opt/snort/rules/exploit.rules(7) => Unknown keyword"flow" in rule!So, i check out this rule file and notice they all have"flow" in them.I now decide something is completely wrong :) This is "current", as I had the same problems with the ruleswith 1.8.6.Appreciate any insight.------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rules touble. Jason Gauthier (Jun 21)
- Re: Snort rules touble. Ryan Russell (Jun 21)
- Re: Snort rules touble. Matt Kettler (Jun 21)
- <Possible follow-ups>
- RE: Snort rules touble. Slighter, Tim (Jun 21)
- RE: Snort rules touble. Jason Gauthier (Jun 21)
- RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Jason Gauthier (Jun 21)
- RE: Snort rules touble. Matt Kettler (Jun 21)
- RE: Snort rules touble. Slighter, Tim (Jun 21)
- RE: Snort rules touble. Slighter, Tim (Jun 21)
- RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Andreas Östling (Jun 21)
- RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Slighter, Tim (Jun 21)
- RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Jason Gauthier (Jun 21)