[Snort-users] new ruleset gives a fatal error

Matt Kettler mkettler at ...4108...
Mon Aug 19 14:04:04 EDT 2002


Diff your snort.conf against the one that was included with the rules 
tarball you downloaded.

There's probably a new var SHELLCODE_PORTS or var HTTP_PORTS, etc that you 
are missing that's used in exploit.rules line number 22.

You can't use an old snort.conf with new rule files without giving the new 
snort.conf that comes in the tarball a quick check-over. The two are 
inherently inter-related, which is why the rules tarball comes with a new 
.conf file.

At 01:30 PM 8/19/2002 -0700, twig les wrote:
>Hey all, I just dl'd the current ruleset today (Monday
>8/19/02) and now Snort won't start.  Running my config
>with -T gives me:
>
>[!] ERROR .//exploit.rules(22) => Bad port number:
>"(msg:"EXPLOIT"
>Fatal Error, Quitting..
>
>I will paste the entire output at the end, but that's
>the ticket right there.  I've been looking thru
>exploit.rules and tried commenting out a few rules
>that looked suspicious, but no luck.  Does anyone know
>which rule this is?  Note that I have Snort 1.8.6 and
>this config has been running fine for months with
>these exact startup options.  This includes weekly
>rules updates.
>
>===================================================
>snortbox# /usr/local/bin/snort -c
>/usr/local/snort/snort.conf -i ti0 -T
>Log directory = /var/log/snort
>
>Initializing Network Interface ti0
>
>         --== Initializing Snort ==--
>Decoding Ethernet on interface ti0
>Initializing Preprocessors!
>Initializing Plug-ins!
>Initializating Output Plugins!
>Parsing Rules file /usr/local/snort/snort.conf
>
>+++++++++++++++++++++++++++++++++++++++++++++++++++
>Initializing rule chains...
>No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
>No arguments to stream4_reassemble, setting defaults:
>      Reassemble client: ACTIVE
>      Reassemble server: INACTIVE
>      Reassemble ports: 21 23 25 53 80 143 110 111 513
>      Reassembly alerts: ACTIVE
>      Reassembly method: FAVOR_OLD
>[!] ERROR .//exploit.rules(22) => Bad port number:
>"(msg:"EXPLOIT"
>Fatal Error, Quitting..
>================================================
>
>
>=====
>-----------------------------------------------------------
>All warfare is based on deception.
>-----------------------------------------------------------
>
>__________________________________________________
>Do You Yahoo!?
>HotJobs - Search Thousands of New Jobs
>http://www.hotjobs.com
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list