[Snort-users] Snort 2.9.0 DCE RPC error [SOLVED] and more

Nigel Houghton nhoughton at ...1935...
Tue Oct 5 11:11:11 EDT 2010


The 2.9 rules are available for registered users already. See 
http://www.snort.org/snort-rules/?#rules

Great URI I know, did I mention we don't run the infrastructure 
recently?

On Tue, 5 Oct 2010 08:41:38 -0600, James Lay wrote:
> Hey All,
> 
> Did an upgrade from 2.8.6.1 to 2.9.0 from source on Slackware 12.1.  Below
> is the error I saw:
> 
> ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5
> (-1)
> 
> After checking /usr/local/lib/snort_dynamicpreprocessor, lo and behold,
> old libs.  Nuked those out, but then I got:
> 
> ERROR: /usr/local/etc/snort/rules/web-client.rules(357) byte_test option
> has bad comparison value: 186a0.
> 
> ERROR: /usr/local/etc/snort/rules/web-client.rules(359) byte_test option
> has bad comparison value: 186a0.
> 
> Which leads me to a question and feature request.  Can snort include
> something in the future to detect old libs?  I've seen ntop do this, so I
> think it's possible.  And in regards to the rules, what do shmoes like me
> do when we upgrade, but aren't using VRT rules?  I'm now running 2.9.0 on
> 2.8.6.1 rules, and as seen above, that's not always a pretty scene as I've
> had to comment out the above rules.  However, as I understand it, I won't
> have access to 2.9.0 rules for another month, yes?  What's the best course
> of action?  Wait a month to upgrade when the new rulesets mesh with the
> new version of snort?  Or plod ahead in hopes that old version rules work
> with new version snort?  Is there no way to do a new snort release coupled
> with, if not a complete initial new ruleset, at least certain sets
> (web-clients.rules) that fix surprises like the above?
> 
> Danke, thanks, and all that stuff.
> 
> James
> 
> 
> 
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/




More information about the Snort-users mailing list