[Snort-users] new ruleset gives a fatal error

twig les twigles at ...131...
Mon Aug 19 14:01:04 EDT 2002


I'm replying to myself to add info :).  I have been
commenting out entire rules files to try to get snort
working at all and every time I comment out one file,
a different one nails me.  It's always a bad port or a
missing port.  Since I haven't changed snort.conf
(except now to comment out rules files) it looks like
someone changed the rules syntax?  Please let me know
if I'm wrong (I want to be).


--- twig les <twigles at ...131...> wrote:
> Hey all, I just dl'd the current ruleset today
> (Monday
> 8/19/02) and now Snort won't start.  Running my
> config
> with -T gives me:
> 
> [!] ERROR .//exploit.rules(22) => Bad port number:
> "(msg:"EXPLOIT"
> Fatal Error, Quitting..
> 
> I will paste the entire output at the end, but
> that's
> the ticket right there.  I've been looking thru
> exploit.rules and tried commenting out a few rules
> that looked suspicious, but no luck.  Does anyone
> know
> which rule this is?  Note that I have Snort 1.8.6
> and
> this config has been running fine for months with
> these exact startup options.  This includes weekly
> rules updates.
> 
> ===================================================
> snortbox# /usr/local/bin/snort -c
> /usr/local/snort/snort.conf -i ti0 -T
> Log directory = /var/log/snort
> 
> Initializing Network Interface ti0
> 
>         --== Initializing Snort ==--
> Decoding Ethernet on interface ti0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file /usr/local/snort/snort.conf
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults
> to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
> No arguments to stream4_reassemble, setting
> defaults:
>      Reassemble client: ACTIVE
>      Reassemble server: INACTIVE
>      Reassemble ports: 21 23 25 53 80 143 110 111
> 513
>      Reassembly alerts: ACTIVE
>      Reassembly method: FAVOR_OLD
> [!] ERROR .//exploit.rules(22) => Bad port number:
> "(msg:"EXPLOIT"
> Fatal Error, Quitting..
> ================================================
> 
> 
> =====
>
-----------------------------------------------------------
> All warfare is based on deception.
>
-----------------------------------------------------------
> 
> __________________________________________________
> Do You Yahoo!?
> HotJobs - Search Thousands of New Jobs
> http://www.hotjobs.com
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of
> that same old
> cell phone?  Get a new here for FREE!
>
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
All warfare is based on deception.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com




More information about the Snort-users mailing list