[Snort-users] Help w/ Bleeding Snort Rules on XP

James Bruce jbruce at ...13308...
Thu Jun 9 11:47:45 EDT 2005


First off I'm new to snort, so sorry if my questions seem lame and
newbish ;) 
I have snort running on an XP pc with one interface with MSSQL 8. I also
have BASE using IIS and IDSCenter for email and audible alarms.
Everything is working fine except when I try to use a few Bleeding snort
rules. I get some errors when trying to run snort from the cmd prompt. I
normally use the IDSCenter to start snort but I test the rules through
the cmd prompt. Here is the output I get when I run snort from the cmd
prompt. 

D:\win-ids\Snort\bin>D:\win-ids\Snort\bin\snort.exe -i3 -c
"D:\win-ids\Snort\etc
\snort.conf" -l "D:\snortlogs"
Running in IDS mode

Initializing Network Interface
\Device\NPF_{480E21C8-4D25-4DA2-850C-BD91084F626F
}

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface
\Device\NPF_{480E21C8-4D25-4DA2-850C-BD91084F626F
}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file D:\win-ids\Snort\etc\snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
    Enforce TCP State: INACTIVE
    Midstream Drop Alerts: INACTIVE

Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Using LOCAL time
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 1
   Allowed IP Protocols:  All

Portscan2 config:
    log: D:\snortlogs/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
alert_syslog output processor is defaulting to syslog server on
127.0.0.1 port 5
14!
database: compiled support for ( mysql odbc mssql )
database: configured to use Mssql
database:          host = 127.0.0.1
database:          port = 1433
database: database name = snort
database:          user = snort
database: password is set
database:   sensor name = cube99
database: SQL Server message 5701, state 2, severity 0:
        Changed database context to 'snort'.
Server 'CUBE99',
database: SQL Server message 5701, state 1, severity 0:
        Changed database context to 'snort'.
Server 'CUBE99', Line 1
database:     sensor id = 1
database: schema version = 106
database: using the "alert" facility
database: compiled support for ( mysql odbc mssql )
database: configured to use Mssql
database:          host = 127.0.0.1
database:          port = 1433
database: database name = snort
database:          user = snort
database: password is set
database:   sensor name = cube99
database: SQL Server message 5701, state 2, severity 0:
        Changed database context to 'snort'.
Server 'CUBE99',
database: SQL Server message 5701, state 1, severity 0:
        Changed database context to 'snort'.
Server 'CUBE99', Line 1
database:     sensor id = 1
database: schema version = 106
database: using the "log" facility
ERROR: D:\win-ids\Snort\rules/bleeding-virus.rules(129) =>
getservbyname() faile
d on "any"
Fatal Error, Quitting..

This also happens on other rules also, plus I just seen the SQL error.
Will have to look that up.

ERROR: Undefined variable name:
(D:\win-ids\Snort\rules/bleeding-malware.rules:1
):
Fatal Error, Quitting..

Guess I should mention how I get the rules. This might be the wrong way
to do this also. All I do is copy them off the web site into notepad and
save them as whatever.rules in the rules folder, then edit the
snort.conf to see them. 

These rules work fine:
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-web.rules
include $RULE_PATH/bleeding-inappropriate.rules

These rules don't:
#include $RULE_PATH/bleeding-custom.rules
#include $RULE_PATH/bleeding-malware.rules
#include $RULE_PATH/bleeding-virus.rules

Does any one know how to get fix this. Any help in the right direction
would be apprecited. Sorry for such a long email.
Thanks,
-Jimmy





More information about the Snort-users mailing list