[Snort-users] new ruleset gives a fatal error

twig les twigles at ...131...
Mon Aug 19 15:01:02 EDT 2002


Ack!  I'm a buffoon.  Of course it was an old
snort.conf that was missing a couple new variables
like aim_servers and stuff.

Sorry all, first day back from vacation.


--- Matt Kettler <mkettler at ...4108...> wrote:
> Diff your snort.conf against the one that was
> included with the rules 
> tarball you downloaded.
> 
> There's probably a new var SHELLCODE_PORTS or var
> HTTP_PORTS, etc that you 
> are missing that's used in exploit.rules line number
> 22.
> 
> You can't use an old snort.conf with new rule files
> without giving the new 
> snort.conf that comes in the tarball a quick
> check-over. The two are 
> inherently inter-related, which is why the rules
> tarball comes with a new 
> .conf file.
> 
> At 01:30 PM 8/19/2002 -0700, twig les wrote:
> >Hey all, I just dl'd the current ruleset today
> (Monday
> >8/19/02) and now Snort won't start.  Running my
> config
> >with -T gives me:
> >
> >[!] ERROR .//exploit.rules(22) => Bad port number:
> >"(msg:"EXPLOIT"
> >Fatal Error, Quitting..
> >
> >I will paste the entire output at the end, but
> that's
> >the ticket right there.  I've been looking thru
> >exploit.rules and tried commenting out a few rules
> >that looked suspicious, but no luck.  Does anyone
> know
> >which rule this is?  Note that I have Snort 1.8.6
> and
> >this config has been running fine for months with
> >these exact startup options.  This includes weekly
> >rules updates.
> >
> >===================================================
> >snortbox# /usr/local/bin/snort -c
> >/usr/local/snort/snort.conf -i ti0 -T
> >Log directory = /var/log/snort
> >
> >Initializing Network Interface ti0
> >
> >         --== Initializing Snort ==--
> >Decoding Ethernet on interface ti0
> >Initializing Preprocessors!
> >Initializing Plug-ins!
> >Initializating Output Plugins!
> >Parsing Rules file /usr/local/snort/snort.conf
> >
> >+++++++++++++++++++++++++++++++++++++++++++++++++++
> >Initializing rule chains...
> >No arguments to frag2 directive, setting defaults
> to:
> >     Fragment timeout: 60 seconds
> >     Fragment memory cap: 4194304 bytes
> >Stream4 config:
> >     Stateful inspection: ACTIVE
> >     Session statistics: INACTIVE
> >     Session timeout: 30 seconds
> >     Session memory cap: 8388608 bytes
> >     State alerts: INACTIVE
> >     Scan alerts: ACTIVE
> >     Log Flushed Streams: INACTIVE
> >No arguments to stream4_reassemble, setting
> defaults:
> >      Reassemble client: ACTIVE
> >      Reassemble server: INACTIVE
> >      Reassemble ports: 21 23 25 53 80 143 110 111
> 513
> >      Reassembly alerts: ACTIVE
> >      Reassembly method: FAVOR_OLD
> >[!] ERROR .//exploit.rules(22) => Bad port number:
> >"(msg:"EXPLOIT"
> >Fatal Error, Quitting..
> >================================================
> >
> >
> >=====
>
>-----------------------------------------------------------
> >All warfare is based on deception.
>
>-----------------------------------------------------------
> >
> >__________________________________________________
> >Do You Yahoo!?
> >HotJobs - Search Thousands of New Jobs
> >http://www.hotjobs.com
> >
> >
>
>-------------------------------------------------------
> >This sf.net email is sponsored by: OSDN - Tired of
> that same old
> >cell phone?  Get a new here for FREE!
>
>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or
> unsubscribe:
>
>https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
>
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 


=====
-----------------------------------------------------------
All warfare is based on deception.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com




More information about the Snort-users mailing list