[Snort-users] Snort rules touble.

Slighter, Tim tslighter at ...5174...
Fri Jun 21 11:54:08 EDT 2002


Will this also resolve the "flow" issue that is happening?

-----Original Message-----
From: Erek Adams [mailto:erek at ...577...]
Sent: Friday, June 21, 2002 12:26 PM
To: Jason Gauthier
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort rules touble.


On Fri, 21 Jun 2002, Jason Gauthier wrote:

[...snip...]

> move all rules from snortrules.tar.gz to /opt/gnome/rules.
> copied snort.conf and classifications.conf to /opt/gnome/etc
> Edited snort.conf
> Canged my HOME_NET and RULE_PATH, along with uncommenting the commented
out
> rules.

Ok, here's where your problem is.  You didn't _finish_ editing snort.conf.
:)

[...snip...]

> Receive the following error:
> [!] ERROR /opt/snort/rules/web-cgi.rules(8) => Bad port number:
> "(msg:"WEB-CGI"

Let's look at that rule:
--
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
HyperSeek hsx.cgi directory traversal attempt"; uricontent:"/hsx.cgi";
content:"../../"; content:"%00"; flags:A+; reference:bugtraq,2314;
reference:cve,CAN-2001-0253;  classtype:web-application-attack; sid:803;
rev:6;)
--

Now, looking at your error it shows that you did not define the variable
$HTTP_PORTS, since it things that '"(msg:"WEB-CGI"' is the port.

> Any ideas?

Yep.  Define $HTTP_PORTS in snort.conf.  Your problems will go away, and no
need to commentout or remove any rules from the 1.8.6 ruleset.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list