[Snort-users] Problem using SnortCenter with Snort

Mike Wohlgemuth mjw at ...9585...
Mon Jun 30 07:18:15 EDT 2003


edward.hawkins at ...9405... wrote:

>I am trying to push out changes to my sensor. When I do a reload I get an
>error message " ERROR: ERROR /etc/snort/snort.eth0.conf (95): Bad arguments
>to byte_test:"
>  
>
I'm seeing this as well.  I've been meaning to put together a post about 
it, but I hadn't had time yet.  Since you've asked, here goes:

The problem is with sid 1882.  If you want, you can just disable that 
rule and push the changes again.  Here is the rule (cut and pasted from 
snortcenter):

( sid: *1882;* rev: *9;* msg: *"ATTACK-RESPONSES id check returned 
userid";* content: "uid="; byte_test: 5,<,65537,0,relative,string; 
content: " gid="; distance: 0; within: 15; byte_test: ; byte_test: 
5,<,65537,0,relative,string; classtype: bad-unknown;)

Notice the "byte_test: ; byte_test".  This is the problem.  I don't see 
a way to edit the byte_test field from snortcenter, but I was able to 
use mysql to fix the rule using the following sql:

update content set byte_test='5,<,65537,0,relative,string' where 
sid=1882 and distance=0;

Unfortunately, every time you update the rules, you need to fix the rule 
again.

Mike






More information about the Snort-users mailing list