[Snort-users] Snort rules touble.

Jason Gauthier jgauthier at ...6155...
Fri Jun 21 11:01:03 EDT 2002


Since my original mailing I recieved several other email asking what I
downloaded, what I was using, I'm mixing version, etc.

Let me clarify:
Orignally I downloaded and installed snort-1.8.6, and it's rules.
Compiled, and installed.

Snort didn't with with the following command:
/opt/snort/bin/snort -dev -l /opt/snort/logs/ -c /opt/snort/etc/snort.conf

So, i deleted it, and tried current.
This is where I ran into the problem I posted.

Taking your advices to heart, as I am relatively new to the product, I began
again.

The following is what I have just done with snort-1.8.6:
rm -r /opt/snort
configured, compiled, installed snort into /opt/snort.
made the following directories:
/opt/snort/etc
/opt/snort/logs
/opt/snort/rules

move all rules from snortrules.tar.gz to /opt/gnome/rules.
copied snort.conf and classifications.conf to /opt/gnome/etc
Edited snort.conf
Canged my HOME_NET and RULE_PATH, along with uncommenting the commented out
rules.

Ran the following command:
/opt/snort/bin/snort -dev -l /opt/snort/logs/ -c /opt/snort/etc/snort.conf

Receive the following error:
[!] ERROR /opt/snort/rules/web-cgi.rules(8) => Bad port number:
"(msg:"WEB-CGI"

Which happens to be the same error I ran into the first time I ran snort.

I commented out line #8, which is the first line of the rule.
Then I get the same error with line #9. (As I was suspecting)

So, i tied to remove web-cgi.
The next rule in the list web-coldfusion spits out an error.
I remove coldfusion...
The next rule in the list web-iis spits out an error.

At this point, I'm back here.

Any ideas?
Again: snort 1.8.6, with snortrules.tar.gz
Straight from the snort website.

(The rules dates today)




>-----Original Message-----
>From: Matt Kettler [mailto:mkettler at ...4108...]
>Sent: Friday, June 21, 2002 1:11 PM
>To: Jason Gauthier; snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Snort rules touble.
>
>
>It would sound like you are trying to use rules which are for 
>snort-current 
>(aka: development version) on a snort which is snort 1.8.6.
>
>Either that or you are using a "rule management" tool (I 
>forget the name.. 
>hogwash was it?) that has a default behavior of uncommenting 
>all the rules 
>before it runs. There's a command line switch to stop that.
>
>Any rule with the word "flow" in it is not intended for snort 1.8.6 or 
>earlier, but 1.8.6's ruleset has a few with that keyword in 
>it, which are 
>commented out in the files. Try re-extracting your rules files 
>from the 
>snort 1.8.6 source tarball and not running them through any tools.
>
>
>At 12:21 PM 6/21/2002 -0400, Jason Gauthier wrote:
>>Greetings-
>>
>>I just installed snort, so I'm a completely new user. I've 
>been reading many
>>documents about set up, configs, etc.  I realize snort is a 
>complicated
>>piece of software.
>>
>>
>>Anyway, I compiled and installed snort without issue.  I extracted the
>>rules, read the documentation on how to start it.  I edit a 
>snort.conf, and
>>was ready to go.
>>
>>I executed:
>>
>>/opt/snort/bin/snort -dev -l /opt/snort/logs -c 
>/opt/snort/etc/snort.conf
>>
>>Starts up and the errors out:
>>ERROR /opt/snort/rules/bad-traffic.rules(19) => Bad protocol 
>name ">134"
>>
>>Eh, Not too bad. So i read some more, and then edit the rule.
>>I decide to comment it out, so I can fix it later, for now, I 
>would like to
>>get snort running.
>>
>>Immediately follows:
>>ERROR: /opt/snort/rules/exploit.rules(7) => Unknown keyword 
>"flow" in rule!
>>
>>So, i check out this rule file and notice they all have 
>"flow" in them.
>>I now decide something is completely wrong :)
>>
>>This is "current", as I had the same problems with the rules 
>with 1.8.6.
>>
>>Appreciate any insight.
>




More information about the Snort-users mailing list