Snort mailing list archives

RE: Snort rules touble.

From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Fri, 21 Jun 2002 12:35:44 -0600

Just like Matt Kettler said,  and pretty sure he is right.  You need to
stick with the rules that come with the 1.86 build and NOT use the
snortrules.tar.gz

-----Original Message-----
From: Jason Gauthier [mailto:jgauthier () lastar com]
Sent: Friday, June 21, 2002 12:01 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort rules touble.

Since my original mailing I recieved several other email asking what I
downloaded, what I was using, I'm mixing version, etc.

Let me clarify:
Orignally I downloaded and installed snort-1.8.6, and it's rules.
Compiled, and installed.

Snort didn't with with the following command:
/opt/snort/bin/snort -dev -l /opt/snort/logs/ -c /opt/snort/etc/snort.conf

So, i deleted it, and tried current.
This is where I ran into the problem I posted.

Taking your advices to heart, as I am relatively new to the product, I began
again.

The following is what I have just done with snort-1.8.6:
rm -r /opt/snort
configured, compiled, installed snort into /opt/snort.
made the following directories:
/opt/snort/etc
/opt/snort/logs
/opt/snort/rules

move all rules from snortrules.tar.gz to /opt/gnome/rules.
copied snort.conf and classifications.conf to /opt/gnome/etc
Edited snort.conf
Canged my HOME_NET and RULE_PATH, along with uncommenting the commented out
rules.

Ran the following command:
/opt/snort/bin/snort -dev -l /opt/snort/logs/ -c /opt/snort/etc/snort.conf

Receive the following error:
[!] ERROR /opt/snort/rules/web-cgi.rules(8) => Bad port number:
"(msg:"WEB-CGI"

Which happens to be the same error I ran into the first time I ran snort.

I commented out line #8, which is the first line of the rule.
Then I get the same error with line #9. (As I was suspecting)

So, i tied to remove web-cgi.
The next rule in the list web-coldfusion spits out an error.
I remove coldfusion...
The next rule in the list web-iis spits out an error.

At this point, I'm back here.

Any ideas?
Again: snort 1.8.6, with snortrules.tar.gz
Straight from the snort website.

(The rules dates today)

-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com]
Sent: Friday, June 21, 2002 1:11 PM
To: Jason Gauthier; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort rules touble.

It would sound like you are trying to use rules which are for 
snort-current 
(aka: development version) on a snort which is snort 1.8.6.

Either that or you are using a "rule management" tool (I 
forget the name.. 
hogwash was it?) that has a default behavior of uncommenting 
all the rules 
before it runs. There's a command line switch to stop that.

Any rule with the word "flow" in it is not intended for snort 1.8.6 or 
earlier, but 1.8.6's ruleset has a few with that keyword in 
it, which are 
commented out in the files. Try re-extracting your rules files 
from the 
snort 1.8.6 source tarball and not running them through any tools.

At 12:21 PM 6/21/2002 -0400, Jason Gauthier wrote:

Greetings-

I just installed snort, so I'm a completely new user. I've

been reading many

documents about set up, configs, etc.  I realize snort is a

complicated

piece of software.


Anyway, I compiled and installed snort without issue.  I extracted the
rules, read the documentation on how to start it.  I edit a

snort.conf, and

was ready to go.

I executed:

/opt/snort/bin/snort -dev -l /opt/snort/logs -c

/opt/snort/etc/snort.conf


Starts up and the errors out:
ERROR /opt/snort/rules/bad-traffic.rules(19) => Bad protocol

name ">134"


Eh, Not too bad. So i read some more, and then edit the rule.
I decide to comment it out, so I can fix it later, for now, I

would like to

get snort running.

Immediately follows:
ERROR: /opt/snort/rules/exploit.rules(7) => Unknown keyword

"flow" in rule!


So, i check out this rule file and notice they all have

"flow" in them.

I now decide something is completely wrong :)

This is "current", as I had the same problems with the rules

with 1.8.6.


Appreciate any insight.



-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort rules touble. Jason Gauthier (Jun 21)
- Re: Snort rules touble. Ryan Russell (Jun 21)
- Re: Snort rules touble. Matt Kettler (Jun 21)
- <Possible follow-ups>
- RE: Snort rules touble. Slighter, Tim (Jun 21)
- RE: Snort rules touble. Jason Gauthier (Jun 21)
  - RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Jason Gauthier (Jun 21)
  - RE: Snort rules touble. Matt Kettler (Jun 21)
- RE: Snort rules touble. Slighter, Tim (Jun 21)
- RE: Snort rules touble. Slighter, Tim (Jun 21)
  - RE: Snort rules touble. Erek Adams (Jun 21)
    - RE: Snort rules touble. Andreas Östling (Jun 21)
    - RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Slighter, Tim (Jun 21)
  - RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Jason Gauthier (Jun 21)