[Snort-users] Re: getservbyname() failed on "any" when pushing snort conf

martin martin3 at ...11827...
Thu May 25 04:56:51 EDT 2006


I upgraded to latest snort. And I got it to run. However, I am using
bleedingsnort signatures and I was getting loads of errors until I
cleaned them up. This is just a sampling (Are so many errors common
with bleedingsnort sigs?):

alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 ( sid: 1729; rev:
3; msg: "CHAT IRC channel join"; flow: to_server,established; content:
"JOIN \: \#"; offset: 0; nocase; classtype: policy-violation;
priority: 1;)

ERROR: /etc/snort/snort.eth1.conf(212) => bad escape sequence starting
with "\#". Fatal Error, Quitting..


alert tcp [132.232.0.0/16,134.33.0.0/16,138.105.0.0/16,138.252.0.0/16,143.49.0.0/16,146.100.0.0/16,147.111.0.0/16,148.3.0.0/16,152.147.0.0/16,159.2.0.0/16,160.116.0.0/16,163.125.0.0/16,167.175.0.0/16,167.97.0.0/16,170.67.0.0/16,192.160.44.0/24,192.67.16.0/24,193.11
any -> $HOME_NET any ( sid: 2400000; rev: 20; msg: "BLEEDING-EDGE DROP
Spamhaus DROP Listed Traffic Inbound"; flow: established; reference:
url,www.spamhaus.org/drop/drop.lasso; priority: 3;  threshold:  type
limit, track by_src, seconds 3600, count 1;)

ERROR: /etc/snort/snort.eth1.conf(173) => Unterminated IP List


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( sid: 2002866;
rev: 1; flow: established,to_server; pcre: "/\d/\d+.jpg/Ui"; content:
"Host\: www.winpcap.org"; nocase; content: "User-Agent\: NSISDL";
nocase; uricontent: "/install/banner/"; nocase; reference:
url,www.winpcap.org; classtype:  policy-violation; priority: 1;  (msg:
"BLEEDING-EDGE POLICY Winpcap Installation in Progress";)

ERROR: Warning: /etc/snort/snort.eth1.conf(1063) => Unknown keyword '
(msg' in rule!

alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any ( sid: 2001959;
rev: 5; msg:  "BLEEDING-EDGE VIRUS Hotword Trojan in Transit"; flow:
established,from_server; content: "|63 6f 6d 66 69 64 65 6e 74 69 61
6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20
44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:
url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
classtype:  trojan-activity; priority: 1;)

ERROR: /etc/snort/snort.eth1.conf(1140) => getservbyname() failed on "any"




On 5/19/06, martin <martin3 at ...11827...> wrote:
> This is strange but the problem reappeared. I removed all instances of
> "any" in the variables. Now I am getting the following:
>
> ERROR: Warning: /etc/snort/snort.eth1.conf(1077) => Unknown keyword '
> (msg' in rule!
> Fatal Error, Quitting..
>
> I fixed the rule (seems like it was a bad rule from bleeding snort).
> THat went away but now I get:
>
> ERROR: /etc/snort/snort.eth1.conf(1148) => getservbyname() failed on "any"
> Fatal Error, Quitting..
>
> That line is:
> alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639 ( sid: 2001430;
> rev: 8; msg:  "BLEEDING-EDGE WORM Bofra Victim Accessing Reactor
> Page"; flow:  from_client,established; content: "GET "; nocase;
> content: "reactor"; nocase; reference:
> url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
> reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e at ...3071...;
> classtype:  trojan-activity; priority: 1;)
>
> I am thinking that it could be due to my older snort version. Which is
> Version 2.1.1 (Build 24).
> Could it be bleeding snort rules would not work on that one?
>
> Any help on this would be much appreciated.
>




More information about the Snort-users mailing list