[Snort-devel] RE: [Snort-users] HTTP_SERVERS variable length

Steven Rudolph srudolph at ...1213...
Thu Jan 2 07:55:26 EST 2003


This did not work :(
Here is the error:

Jan  2 10:28:30 hubble2 snort[3846]: [ID 379120 daemon.error] FATAL
ERROR: ERROR /usr/local/snort/dos.rules (25) => Rule IP addr
(aaa.bbb.132.93,aaa.bbb.132.179,aaa.bbb.132.96,aaa.bbb.132.190,aaa.bbb.1
32.192,aaa.bbb.132.194,aaa.bbb.132.199,aaa.bbb.132.202,aaa.bbb.132.205,a
aa.bbb.132.206,aaa.bbb.132.143,aaa.bbb.132.210,aaa.bbb.132.212,aaa.bbb.1
32.214,aaa.bbb.132.223,aaa.bbb.132.236,aaa.bbb.132.237,aaa.bbb.132.243,a
aa.bbb.132.244,aaa.bbb.132.245,aaa.bbb.132.248,aaa.bbb.133.40,aaa.bbb.13
3.41,aaa.bbb.133.42,aaa.bbb.132.61,aaa.bbb.159.242) didn't x-late, WTF?

It only will take a certain length line, otherwise it reports the above
error for the IP's past the maximum.

Steve
I did get it working with a slightly shorter list.
Maybe if I divided the list between M$ servers and others?

Any suggestions?

-----Original Message-----
From: Pascal Bouchareine [mailto:pb at ...858...]
Sent: Thursday, January 02, 2003 5:26 AM
To: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] RE: [Snort-users] HTTP_SERVERS variable
length


Try breaking lines with \

I used to patch my snorts (read_conf), but \ does the trick IIRC.

Watch mSplit calls in rules.c if you need more than (256 ?) hosts.

On Mon, Dec 30, 2002 at 10:51:58AM -0500, Steven Rudolph wrote:
> Obfuscated for obvious reasons:
> This is line 68 which gets divided into 2 lines:
> I will send privately if needed.
> 
> var HTTP_SERVERS
>
[aaa.bbb.159.19,aaa.bbb.155.28,aaa.bbb.155.29,aaa.bbb.155.30,aaa.bbb.155
>
.43,aaa.bbb.155.46,aaa.bbb.155.47,aaa.bbb.155.48,aaa.bbb.155.60,aaa.bbb.
>
132.11,aaa.bbb.155.105,aaa.bbb.155.118,aaa.bbb.155.120,aaa.bbb.155.121,a
>
aa.bbb.155.122,aaa.bbb.155.123,aaa.bbb.155.170,aaa.bbb.155.171,aaa.bbb.1
>
55.172,aaa.bbb.155.174,aaa.bbb.155.177,aaa.bbb.155.179,aaa.bbb.155.180,a
>
aa.bbb.155.183,aaa.bbb.155.184,aaa.bbb.155.200,aaa.bbb.155.201,aaa.bbb.1
>
55.204,aaa.bbb.155.206,aaa.bbb.155.207,aaa.bbb.155.210,aaa.bbb.155.211,a
>
aa.bbb.155.212,aaa.bbb.155.216,aaa.bbb.155.217,aaa.bbb.155.218,aaa.bbb.1
>
55.221,aaa.bbb.155.222,aaa.bbb.155.223,aaa.bbb.155.226,aaa.bbb.155.240,a
>
aa.bbb.155.241,aaa.bbb.155.242,aaa.bbb.135.17,aaa.bbb.135.25,aaa.bbb.135
>
.28,aaa.bbb.135.34,aaa.bbb.135.36,aaa.bbb.135.46,aaa.bbb.135.48,aaa.bbb.
>
135.64,aaa.bbb.135.67,aaa.bbb.135.70,aaa.bbb.135.75,aaa.bbb.135.76,aaa.b
>
bb.135.80,aaa.bbb.135.95,aaa.bbb.135.96,aaa.bbb.135.100,aaa.bbb.135.101,
>
aaa.bbb.135.102,aaa.bbb.135.103,aaa.bbb.146.18,aaa.bbb.135.104,aaa.bbb.1
>
46.19,aaa.bbb.146.20,aaa.bbb.146.25,aaa.bbb.135.111,aaa.bbb.135.112,aaa.
>
bbb.146.28,aaa.bbb.135.105,aaa.bbb.135.120,aaa.bbb.155.44,aaa.bbb.132.5,
>
aaa.bbb.132.8,aaa.bbb.132.15,aaa.bbb.132.17,aaa.bbb.132.18,aaa.bbb.132.2
>
3,aaa.bbb.132.25,aaa.bbb.132.26,aaa.bbb.132.31,aaa.bbb.135.41,aaa.bbb.13
>
2.32,aaa.bbb.132.34,aaa.bbb.132.37,aaa.bbb.132.38,aaa.bbb.132.45,aaa.bbb
>
.132.46,aaa.bbb.132.50,aaa.bbb.132.55,aaa.bbb.132.57,aaa.bbb.132.60,aaa.
>
bbb.132.62,aaa.bbb.132.72,aaa.bbb.132.88,aaa.bbb.15.10,aaa.bbb.15.11,aaa
>
.bbb.132.101,aaa.bbb.132.103,aaa.bbb.132.106,aaa.bbb.132.107,aaa.bbb.132
>
.119,aaa.bbb.132.121,aaa.bbb.15.36,aaa.bbb.15.37,aaa.bbb.15.38,aaa.bbb.1
>
32.124,aaa.bbb.15.39,aaa.bbb.15.40,aaa.bbb.15.42,aaa.bbb.132.132,aaa.bbb
>
.15.49,aaa.bbb.132.120,aaa.bbb.15.58,aaa.bbb.132.144,aaa.bbb.132.147,aaa
>
.bbb.15.63,aaa.bbb.132.120,aaa.bbb.132.120,aaa.bbb.132.156,aaa.bbb.132.1
>
60,aaa.bbb.132.167,aaa.bbb.132.93,aaa.bbb.132.98,aaa.bbb.132.170,aaa.bbb
>
.132.174,aaa.bbb.132.93,aaa.bbb.132.179,aaa.bbb.132.96,aaa.bbb.132.190,a
>
aa.bbb.132.192,aaa.bbb.132.194,aaa.bbb.132.199,aaa.bbb.132.202,aaa.bbb.1
>
32.205,aaa.bbb.132.206,aaa.bbb.132.143,aaa.bbb.132.210,aaa.bbb.132.212,a
>
aa.bbb.132.214,aaa.bbb.132.223,aaa.bbb.132.236,aaa.bbb.132.237,aaa.bbb.1
>
32.243,aaa.bbb.132.244,aaa.bbb.132.245,aaa.bbb.132.248,aaa.bbb.133.40,aa
> a.bbb.133.41,aaa.bbb.133.42,aaa.bbb.132.61,aaa.bbb.159.242]
> 
> -----Original Message-----
> From: Andrew R. Baker [mailto:andrewb at ...835...]
> Sent: Monday, December 30, 2002 10:11 AM
> To: Steven Rudolph
> Cc: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] RE: [Snort-users] HTTP_SERVERS variable
> length
> 
> 
> Steven Rudolph wrote:
> > This message was originally posted on the snort-users list.
> > 
> > How long can the var for HTTP_SERVERS be?
> > Where would I find this in the code?
> > I need a length of about 2200 characters as I have about 150 HTTP 
> > servers that are in my network.
> > 
> > I am running Solaris 8.
> > -*> Snort! <*-
> > Version 1.9.0 (Build 209)
> > 
> > When I use all approximately 150 addresses I get this error in
> > /var/adm/messages:
> > Dec 26 11:23:47 hubble2 snort[25661]: [ID 702911 daemon.notice]
> Writing
> > PID "25661" to file "/var/run//snort_qfe0.pid"
> > Dec 26 11:23:47 hubble2 snort[25661]: [ID 379120 daemon.error] FATAL
> > ERROR: ERROR line /usr/local/snort/snort.conf (69) => Unknown rule
> type:
> >
>
4.146.19,aaa.bbb.146.20,aaa.bbb.146.25,aaa.bbb.135.111,aaa.bbb.135.112,a
> 
> [snip]
> 
> Can you please paste what you have on line 69 of your snort.conf file?

> It would make it much easier to track down where Snort is failing.
> 
> -A
> 



-- 
Kalou
It was on display in the bottom of a locked filing cabinet stuck in a 
disused lavatory with a sign on the door saying 'Beware of the Leopard.'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2220 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030102/7ee918e6/attachment.bin>


More information about the Snort-devel mailing list