[Snort-users] Snort rules touble.

Slighter, Tim tslighter at ...5174...
Fri Jun 21 11:54:08 EDT 2002

Will this also resolve the "flow" issue that is happening?

-----Original Message-----
From: Erek Adams [mailto:erek at ...577...]
Sent: Friday, June 21, 2002 12:26 PM
To: Jason Gauthier
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort rules touble.

On Fri, 21 Jun 2002, Jason Gauthier wrote:


> move all rules from snortrules.tar.gz to /opt/gnome/rules.
> copied snort.conf and classifications.conf to /opt/gnome/etc
> Edited snort.conf
> Canged my HOME_NET and RULE_PATH, along with uncommenting the commented
> rules.

Ok, here's where your problem is.  You didn't _finish_ editing snort.conf.


> Receive the following error:
> [!] ERROR /opt/snort/rules/web-cgi.rules(8) => Bad port number:
> "(msg:"WEB-CGI"

Let's look at that rule:
HyperSeek hsx.cgi directory traversal attempt"; uricontent:"/hsx.cgi";
content:"../../"; content:"%00"; flags:A+; reference:bugtraq,2314;
reference:cve,CAN-2001-0253;  classtype:web-application-attack; sid:803;

Now, looking at your error it shows that you did not define the variable
$HTTP_PORTS, since it things that '"(msg:"WEB-CGI"' is the port.

> Any ideas?

Yep.  Define $HTTP_PORTS in snort.conf.  Your problems will go away, and no
need to commentout or remove any rules from the 1.8.6 ruleset.


Erek Adams

Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list