[Snort-users] Fwd: new snort install, error when starting snort service

Michael Giornesto mcg12 at ...11968...
Thu Apr 19 12:01:02 EDT 2007


I think there was a problem syntax error in the vrt rules that I had 
originally loaded..and then I did not remove those rules when I applied 
the community rules, thus still showing the vrt rule error. 

I have now removed all of the previous rules and loaded just the vrt 
rules..looks better, however still throwing a fatal error...at first 
glance at the error this appears to be my config error in snort.conf.


Thanks for the help,
Mike


Darryl Taylor wrote:
> Didn't reply-all the first time.
>
> ------------------
>
> Darryl Taylor
>
> Fingerprint: AEA7 16DB 2DC3 0C3E 43A9 F1B6 E25A 6A7C 16F2 68B6
> Key: http://demo.sourcefire.com/dtaylor.pgp.key
>
>
>
>
>
>
>
>
>
> Begin forwarded message:
>
>> From: Darryl Taylor <darryl.taylor at ...1935...>
>> Date: April 18, 2007 4:50:35 PM EDT
>> To: Michael Giornesto <mcg12 at ...11968...>
>> Subject: Re: [Snort-users] new snort install, error when starting 
>> snort service
>>
>> If that is actually what it showed for that line then the line is 
>> wrong. Looks like somehow that line got corrupted. There are two 
>> alerts on the same line. Also the line is improperly terminated among 
>> other omissions. Try commenting out that line.
>>
>>
>>
>> ------------------
>>
>> Darryl Taylor
>>
>> Fingerprint: AEA7 16DB 2DC3 0C3E 43A9 F1B6 E25A 6A7C 16F2 68B6
>> Key: http://demo.sourcefire.com/dtaylor.pgp.key
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Apr 18, 2007, at 3:49 PM, Michael Giornesto wrote:
>>
>>> I have a new install that is throwing an error when trying to start 
>>> the snort service...certainly seems to be a config error in 
>>> /etc/snort/snort.conf...but I am unsure how to locate problem.
>>>
>>> ERROR: ERROR /etc/snort/rules/web-misc.rules Line 452 => unable to 
>>> parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi"
>>>
>>> Line 452 in /etc/snort/rules/web-misc.rules shows...
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC 
>>> TrackerCam ComGetLogFile.php3 log information disclosure"; 
>>> flow:to_server,established; content:"/ComGetLogFile.php3"; alert tcp 
>>> $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam 
>>> ComGetLogFile.php3 log information disclosure"; 
>>> flow:to_server,established; content:"/ComGetLogFile.php3";
>>>
>>>
>>> running on...
>>> FC6 2.6.20
>>> Snort 2.6.1.4
>>> Apache 2.2.3
>>> Mysql 5.0.27
>>>
>>> Any suggestions are appreciated
>>>
>>> Thanks,
>>> Mike
>>> ------------------------------------------------------------------------- 
>>>
>>> This SF.net email is sponsored by DB2 Express
>>> Download DB2 Express C - the FREE version of DB2 express and take
>>> control of your XML. No limits. Just data. Click to get it now.
>>> http://sourceforge.net/powerbar/db2/_______________________________________________ 
>>>
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070419/83716464/attachment.html>


More information about the Snort-users mailing list