AW: [Snort-users] Help with content-list usage - Unable to open list file: Sven_da_duder

Sean Wheeler s.wheeler at ...2876...
Thu Oct 17 09:08:04 EDT 2002


If no path is placed in the content-list:

It will look in the chroot root directory

-----Ursprungliche Nachricht-----
Von: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]Im Auftrag von Sean
Wheeler
Gesendet: Donnerstag, 17. Oktober 2002 17:45
An: snort-users at lists.sourceforge.net
Betreff: AW: [Snort-users] Help with content-list usage - Unable to open
list file: Sven_da_duder


Response to myself ;)

changed rules to :
alert tcp $ANY_Servers $any -> $ANY_Servers $http (msg:"New Style Custom
Rules";classtype:web-application-attack;content-list:/etc/rules/Sven_da_dude
r;)

i.e. gave the path in the rules reletive to the chroot (
content-list:/etc/rules/Sven_da_duder)

seems to work now
Was no need to add it to the conf file as an include

regards
Sean

-----Ursprungliche Nachricht-----
Von: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]Im Auftrag von Sean
Wheeler
Gesendet: Donnerstag, 17. Oktober 2002 17:33
An: snort-users at lists.sourceforge.net
Betreff: [Snort-users] Help with content-list usage - Unable to open
list file: Sven_da_duder


hi,

I have setup a rule :
alert tcp $ANY_Servers $any -> $ANY_Servers $http (msg:"Custom
Rules";classtype:web-application-attack;content-list:Sven_da_duder;)

Don't worry about the rule except for the content-list:Sven_da_duder piece

When I run snort with :

/usr/local/sensor/bin/snort -t /usr/local/sensor -N -c /etc/snorted.conf -i
eth0 -T

I get :
....
database: using the "alert" facility
Unable to open list file: Sven_da_duder
Fatal Error, Quitting..

I have placed the file Sven_da_duder in /usr/local/sensor/etc &
/usr/local/sensor/etc/rules

I tried popping it in /usr/local/sensor/bin aswell and still no joy

permission 644 so all can read the file

Do I need to make an include in my conf file for each content-list file?

I am a lil stumped, your help would be much appreciated

regards

Sean



-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list