[Snort-users] Snort rules touble.

Jason Gauthier jgauthier at ...6155...
Fri Jun 21 11:42:03 EDT 2002


I understand now.

The rules supplied separately have variables supplied for the ports.
The rules supplied with the distribution have them staticly entered.

Thanks a lot!



>-----Original Message-----
>From: Slighter, Tim [mailto:tslighter at ...5174...]
>Sent: Friday, June 21, 2002 2:36 PM
>To: 'Jason Gauthier'; snort-users at lists.sourceforge.net
>Subject: RE: [Snort-users] Snort rules touble.
>
>
>Just like Matt Kettler said,  and pretty sure he is right.  You need to
>stick with the rules that come with the 1.86 build and NOT use the
>snortrules.tar.gz
>
>-----Original Message-----
>From: Jason Gauthier [mailto:jgauthier at ...6155...]
>Sent: Friday, June 21, 2002 12:01 PM
>To: snort-users at lists.sourceforge.net
>Subject: RE: [Snort-users] Snort rules touble.
>
>
>Since my original mailing I recieved several other email asking what I
>downloaded, what I was using, I'm mixing version, etc.
>
>Let me clarify:
>Orignally I downloaded and installed snort-1.8.6, and it's rules.
>Compiled, and installed.
>
>Snort didn't with with the following command:
>/opt/snort/bin/snort -dev -l /opt/snort/logs/ -c 
>/opt/snort/etc/snort.conf
>
>So, i deleted it, and tried current.
>This is where I ran into the problem I posted.
>
>Taking your advices to heart, as I am relatively new to the 
>product, I began
>again.
>
>The following is what I have just done with snort-1.8.6:
>rm -r /opt/snort
>configured, compiled, installed snort into /opt/snort.
>made the following directories:
>/opt/snort/etc
>/opt/snort/logs
>/opt/snort/rules
>
>move all rules from snortrules.tar.gz to /opt/gnome/rules.
>copied snort.conf and classifications.conf to /opt/gnome/etc
>Edited snort.conf
>Canged my HOME_NET and RULE_PATH, along with uncommenting the 
>commented out
>rules.
>
>Ran the following command:
>/opt/snort/bin/snort -dev -l /opt/snort/logs/ -c 
>/opt/snort/etc/snort.conf
>
>Receive the following error:
>[!] ERROR /opt/snort/rules/web-cgi.rules(8) => Bad port number:
>"(msg:"WEB-CGI"
>
>Which happens to be the same error I ran into the first time I 
>ran snort.
>
>I commented out line #8, which is the first line of the rule.
>Then I get the same error with line #9. (As I was suspecting)
>
>So, i tied to remove web-cgi.
>The next rule in the list web-coldfusion spits out an error.
>I remove coldfusion...
>The next rule in the list web-iis spits out an error.
>
>At this point, I'm back here.
>
>Any ideas?
>Again: snort 1.8.6, with snortrules.tar.gz
>Straight from the snort website.
>
>(The rules dates today)
>
>
>
>
>>-----Original Message-----
>>From: Matt Kettler [mailto:mkettler at ...4108...]
>>Sent: Friday, June 21, 2002 1:11 PM
>>To: Jason Gauthier; snort-users at lists.sourceforge.net
>>Subject: Re: [Snort-users] Snort rules touble.
>>
>>
>>It would sound like you are trying to use rules which are for 
>>snort-current 
>>(aka: development version) on a snort which is snort 1.8.6.
>>
>>Either that or you are using a "rule management" tool (I 
>>forget the name.. 
>>hogwash was it?) that has a default behavior of uncommenting 
>>all the rules 
>>before it runs. There's a command line switch to stop that.
>>
>>Any rule with the word "flow" in it is not intended for snort 
>1.8.6 or 
>>earlier, but 1.8.6's ruleset has a few with that keyword in 
>>it, which are 
>>commented out in the files. Try re-extracting your rules files 
>>from the 
>>snort 1.8.6 source tarball and not running them through any tools.
>>
>>
>>At 12:21 PM 6/21/2002 -0400, Jason Gauthier wrote:
>>>Greetings-
>>>
>>>I just installed snort, so I'm a completely new user. I've 
>>been reading many
>>>documents about set up, configs, etc.  I realize snort is a 
>>complicated
>>>piece of software.
>>>
>>>
>>>Anyway, I compiled and installed snort without issue.  I 
>extracted the
>>>rules, read the documentation on how to start it.  I edit a 
>>snort.conf, and
>>>was ready to go.
>>>
>>>I executed:
>>>
>>>/opt/snort/bin/snort -dev -l /opt/snort/logs -c 
>>/opt/snort/etc/snort.conf
>>>
>>>Starts up and the errors out:
>>>ERROR /opt/snort/rules/bad-traffic.rules(19) => Bad protocol 
>>name ">134"
>>>
>>>Eh, Not too bad. So i read some more, and then edit the rule.
>>>I decide to comment it out, so I can fix it later, for now, I 
>>would like to
>>>get snort running.
>>>
>>>Immediately follows:
>>>ERROR: /opt/snort/rules/exploit.rules(7) => Unknown keyword 
>>"flow" in rule!
>>>
>>>So, i check out this rule file and notice they all have 
>>"flow" in them.
>>>I now decide something is completely wrong :)
>>>
>>>This is "current", as I had the same problems with the rules 
>>with 1.8.6.
>>>
>>>Appreciate any insight.
>>
>
>
>-------------------------------------------------------
>Sponsored by:
>ThinkGeek at http://www.ThinkGeek.com/
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list