[Snort-users] Snort rules touble.

Slighter, Tim tslighter at ...5174...
Fri Jun 21 11:39:02 EDT 2002


Just like Matt Kettler said,  and pretty sure he is right.  You need to
stick with the rules that come with the 1.86 build and NOT use the
snortrules.tar.gz

-----Original Message-----
From: Jason Gauthier [mailto:jgauthier at ...6155...]
Sent: Friday, June 21, 2002 12:01 PM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort rules touble.


Since my original mailing I recieved several other email asking what I
downloaded, what I was using, I'm mixing version, etc.

Let me clarify:
Orignally I downloaded and installed snort-1.8.6, and it's rules.
Compiled, and installed.

Snort didn't with with the following command:
/opt/snort/bin/snort -dev -l /opt/snort/logs/ -c /opt/snort/etc/snort.conf

So, i deleted it, and tried current.
This is where I ran into the problem I posted.

Taking your advices to heart, as I am relatively new to the product, I began
again.

The following is what I have just done with snort-1.8.6:
rm -r /opt/snort
configured, compiled, installed snort into /opt/snort.
made the following directories:
/opt/snort/etc
/opt/snort/logs
/opt/snort/rules

move all rules from snortrules.tar.gz to /opt/gnome/rules.
copied snort.conf and classifications.conf to /opt/gnome/etc
Edited snort.conf
Canged my HOME_NET and RULE_PATH, along with uncommenting the commented out
rules.

Ran the following command:
/opt/snort/bin/snort -dev -l /opt/snort/logs/ -c /opt/snort/etc/snort.conf

Receive the following error:
[!] ERROR /opt/snort/rules/web-cgi.rules(8) => Bad port number:
"(msg:"WEB-CGI"

Which happens to be the same error I ran into the first time I ran snort.

I commented out line #8, which is the first line of the rule.
Then I get the same error with line #9. (As I was suspecting)

So, i tied to remove web-cgi.
The next rule in the list web-coldfusion spits out an error.
I remove coldfusion...
The next rule in the list web-iis spits out an error.

At this point, I'm back here.

Any ideas?
Again: snort 1.8.6, with snortrules.tar.gz
Straight from the snort website.

(The rules dates today)




>-----Original Message-----
>From: Matt Kettler [mailto:mkettler at ...4108...]
>Sent: Friday, June 21, 2002 1:11 PM
>To: Jason Gauthier; snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Snort rules touble.
>
>
>It would sound like you are trying to use rules which are for 
>snort-current 
>(aka: development version) on a snort which is snort 1.8.6.
>
>Either that or you are using a "rule management" tool (I 
>forget the name.. 
>hogwash was it?) that has a default behavior of uncommenting 
>all the rules 
>before it runs. There's a command line switch to stop that.
>
>Any rule with the word "flow" in it is not intended for snort 1.8.6 or 
>earlier, but 1.8.6's ruleset has a few with that keyword in 
>it, which are 
>commented out in the files. Try re-extracting your rules files 
>from the 
>snort 1.8.6 source tarball and not running them through any tools.
>
>
>At 12:21 PM 6/21/2002 -0400, Jason Gauthier wrote:
>>Greetings-
>>
>>I just installed snort, so I'm a completely new user. I've 
>been reading many
>>documents about set up, configs, etc.  I realize snort is a 
>complicated
>>piece of software.
>>
>>
>>Anyway, I compiled and installed snort without issue.  I extracted the
>>rules, read the documentation on how to start it.  I edit a 
>snort.conf, and
>>was ready to go.
>>
>>I executed:
>>
>>/opt/snort/bin/snort -dev -l /opt/snort/logs -c 
>/opt/snort/etc/snort.conf
>>
>>Starts up and the errors out:
>>ERROR /opt/snort/rules/bad-traffic.rules(19) => Bad protocol 
>name ">134"
>>
>>Eh, Not too bad. So i read some more, and then edit the rule.
>>I decide to comment it out, so I can fix it later, for now, I 
>would like to
>>get snort running.
>>
>>Immediately follows:
>>ERROR: /opt/snort/rules/exploit.rules(7) => Unknown keyword 
>"flow" in rule!
>>
>>So, i check out this rule file and notice they all have 
>"flow" in them.
>>I now decide something is completely wrong :)
>>
>>This is "current", as I had the same problems with the rules 
>with 1.8.6.
>>
>>Appreciate any insight.
>


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list