[Snort-users] Snort complains about rules file

Tom Sevy tsevy at ...1701...
Fri Mar 30 08:05:41 EST 2001


Running Snort 1.7 (downloaded from freebsd.org, running on Freebsd
4.2-Release).  I am not yet very experienced with *nix, etc. or with Snort
rules.

Also, is there an all inclusive rules file?  Or can I just concatenate them
to create a very large rule file?

................................................................

Command line:       snort -i xl0 -v -c netbios.rules          This will be
expanded once I get the rules working.

        --== Initializing Snort ==--

Initializing Network Interface xl0
Decoding Ethernet on interface xl0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR netbios.rules:7 => Port value missing in rule!




Here is what is in netbios.rules, as downloaded from snort.org:

#--------------
# NETBIOS RULES
#--------------
# UPDATED 03/28/2001
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DOS RFPoison";
flags: A+; content: "|5C 0
0 5C 00 2A 00 53 00 4D 00 42 00 53 00 45 00 52 00 56 00 45 00 52 00 00 00 00
00 01 00 00 00 01 00 00
 00 00 00 00 00 FF FF FF FF 00 00 00 00|";reference:arachnids,454;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze
Attempt"; flags: A+; content:"
BEAVIS"; content:"yep yep";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session";
flags: A+; content: "|0
0 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00
31 00 33 00 38 00 31|";
 reference:arachnids,204;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB
IPC$access";flags: A+; content:"|5c00
|I|00|P|00|C|00|$|000000|IPC|00|"; reference:arachnids,334;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB
IPC$access";flags: A+; content:"\\IPC
$|00 41 3a 00|"; reference:arachnids,335;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB
D$access";flags: A+; content:"\\D$|00
 41 3a 00|"; reference:arachnids,336;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD...";flags:
A+; content:"\\...|00 0
0 00|"; reference:arachnids,337;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..";flags:
A+; content:"\\..|2f 00
00 00|"; reference:arachnids,338;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ access";
flags: A+; content: "|5c|
C$|00 41 3a 00|";reference:arachnids,339;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB
ADMIN$access";flags: A+; content:"\\A
DMIN$|00 41 3a 00|"; reference:arachnids,340;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Samba
clientaccess";flags: A+; content:"|
00|Unix|00|Samba"; reference:arachnids,341;)




More information about the Snort-users mailing list