Snort mailing list archives
Re: Snort errors on startup -- rules related?
From: "Josh Berry" <josh.berry () netschematics com>
Date: Wed, 28 Jan 2004 17:00:46 -0600 (CST)
It is giving an error because someone had a typo on the rule, it should be to_server not to_sever. The other just looks like a future rule option that does not work for Snort yet but somehow made it into a couple of the rules (or is this used with the pcre patch?).
Aloha, I upgraded my snort today after reading the very fine book Snort 2.0 Intrusion Detection. Currently, I am running: -*> Snort! <*- Version 2.1.0 (Build 9) By Martin Roesch (roesch () sourcefire com, www.snort.org) on a Red Hat 7.2 box. This install has the current rules from snortrules-current.tar.gz dated Jan 25 01:15:12 2004 GMT obtained from the downloads pages. Please note that I am not a rules expert, so much of this is a foreign language to me. However, I thought this might be a good learning opportunity for me so, I am looking for help. Anyay, after I got it all installed and tried to start it up, I get the following two errors that I'd like to see if I can fix. (Disabling the rules for rpc and web_misc allows snort to run, albeit without those capabilities enabled.) Here is the first error message in /var/log/messages Jan 24 17:08:40 router snort: FATAL ERROR: /etc/snort/rules/rpc.rules:19: Unknown Flow Option: 'to_sever' Now when I open up the rules for RPC.rules, the rule #19 looks just like the surrounding rules in that it has the same format as the others. So why does this error out with Unknown Flow Option: 'to_server' ? Should tfe 'flow:to_server, established ' part of that rule be removed? Here is the second error message: Jan 24 17:09:19 router snort: FATAL ERROR: /etc/snort/rules/web-misc.rules(10) => Sorry, regex isn't supported at this time. This isn't new. Here is the rule number 10: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco IOS HTTP configuration attempt"; uricontent:"/level/*/exec/"; regex; flow:to_server,established; classtype:web-application-attack; reference:bugtraq,2936; sid:1250; rev:6;) I also noted that rule number 58 uses 'regex' Thanks in advance for your help, Ben ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort errors on startup -- rules related? Ben Beeson (Jan 27)
- Re: Snort errors on startup -- rules related? Josh Berry (Jan 28)