[Snort-users] Progress..New Ruleset not working with Snort 1.7

Joe Magee lists at ...297...
Thu Apr 12 15:35:13 EDT 2001


Ok here is what I did I copied all of the rules in the same directory as snort.conf and in snort.conf I defined:

include backdoor.rules
include finger.rules
include netbios.rules
include smtp.rules
include web-coldfusion.rules
include ddos.rules
include ftp.rules
include policy.rules
include sql.rules
include web-frontpage.rules
include dns.rules
include icmp.rules
include rpc.rules
include telnet.rules
include web-iis.rules
include dos.rules
include info.rules
include rservices.rules
include virus.rules
include web-misc.rules
include exploit.rules
include misc.rules
include scan.rules
include web-cgi.rules
include x11.rules

It seems as though my first problem is solved, however now I'm getting:

intruder# snort -d -e -l /usr/snortlogs -v -c /usr/jmagee/snort*7/snort.conf -D -i xl0
Initializing daemon mode
intruder# Apr 12 02:31:42 intruder snort: [!] ERROR smtp.rules(7) => Bad port number: "(msg:"SMTP" 
Apr 12 02:31:42 intruder snort: [!] ERROR smtp.rules(7) => Bad port number: "(msg:"SMTP" 

Do I have to define SMTP somewhere?

---------- Original Message ----------------------------------
From: Joe McAlerney <joey at ...47...>
Date: Thu, 12 Apr 2001 12:09:58 -0700

>Hi Joe,
>
>By popular demand, the path where included files are searched for was
>changed from absolute to relative to the directory that your
>configuration file is in (specified with -c).  This was done to avoid
>having to add absolute paths to each include, and is a feature in the
>CVS version of Snort - At least that's how I understand the history of
>it.
>
>So, remove those absolute paths and you should be good to go.
>
>-Joe M.
>
>-- 
>|   Joe McAlerney     joey at ...155...   |
>| Silicon Defense - Technical Support for Snort |
>|       http://www.silicondefense.com/          |
>+--                                           --+
>
>Joe Magee wrote:
>
>> Snort works fine... However I downloaded the newest rules put them in /usr/jmagee/snort*7/rules/ and then added the appropriate lines in snort.conf to reflect the new rules. I get the following error:
>> 
>> intruder# snort -d -e -l /usr/snortlogs -v -c /usr/jmagee/snort*7/snort.conf -D -i xl0
>> Initializing daemon mode
>> intruder# Apr 12 01:27:48 intruder snort: ERROR: Unable to open rules file: /usr/jmagee/snort*7/rules/webcgi.rules
>> Apr 12 01:27:48 intruder snort: ERROR: Unable to open rules file: /usr/jmagee/snort*7/rules/webcgi.rules
>




More information about the Snort-users mailing list