[Snort-users] Snort 2.9.0 DCE RPC error [SOLVED] and more

James Lay jlay at ...13475...
Tue Oct 5 11:40:46 EDT 2010

Yea that fixed the web-client.rules issue.  For a taste of the fun, here's
a breakdown of this upgrade:

wget, extract, configure, compile, install daq
wget, extract, configure, compile, install libdnet
wget, extract, configure, compile, install libpcap (this is on me..12.1
slackware ;))
wget, extract, configure, compile, install snort
modify snort.conf to match the old snort.conf (pretty easy this go round)
run /usr/local/bin/create-sidmap.pl to create new sid-map file
run snort -T -c /usr/local/etc/snort/snort.conf for testing
remove old libs from /usr/local/lib/snort_dynamic*
run snort -T -c /usr/local/etc/snort/snort.conf for testing
comment out lines 5347, 539 in web-client.rules
run snort -T -c /usr/local/etc/snort/snort.conf for testing (success)
wget, extract, copy over newly posted (at least for me) new snortrules
run /usr/local/bin/create-sidmap.pl to create new sid-map file
run snort -T -c /usr/local/etc/snort/snort.conf for testing (success)
run /etc/rc.d/rc.snort and monitor cpu/mem usage

Those of you who get a nifty package should count your blessings :P 
Running smooth here thank you.


> The 2.9 rules are available for registered users already. See
> http://www.snort.org/snort-rules/?#rules
> Great URI I know, did I mention we don't run the infrastructure
> recently?
> On Tue, 5 Oct 2010 08:41:38 -0600, James Lay wrote:
>> Hey All,
>> Did an upgrade from to 2.9.0 from source on Slackware 12.1.
>> Below
>> is the error I saw:
>> ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version
>> 1.1.5
>> (-1)
>> After checking /usr/local/lib/snort_dynamicpreprocessor, lo and behold,
>> old libs.  Nuked those out, but then I got:
>> ERROR: /usr/local/etc/snort/rules/web-client.rules(357) byte_test option
>> has bad comparison value: 186a0.
>> ERROR: /usr/local/etc/snort/rules/web-client.rules(359) byte_test option
>> has bad comparison value: 186a0.
>> Which leads me to a question and feature request.  Can snort include
>> something in the future to detect old libs?  I've seen ntop do this, so
>> I
>> think it's possible.  And in regards to the rules, what do shmoes like
>> me
>> do when we upgrade, but aren't using VRT rules?  I'm now running 2.9.0
>> on
>> rules, and as seen above, that's not always a pretty scene as
>> I've
>> had to comment out the above rules.  However, as I understand it, I
>> won't
>> have access to 2.9.0 rules for another month, yes?  What's the best
>> course
>> of action?  Wait a month to upgrade when the new rulesets mesh with the
>> new version of snort?  Or plod ahead in hopes that old version rules
>> work
>> with new version snort?  Is there no way to do a new snort release
>> coupled
>> with, if not a complete initial new ruleset, at least certain sets
>> (web-clients.rules) that fix surprises like the above?
>> Danke, thanks, and all that stuff.
>> James
> ------------------------------------------------------------------------------
>> Beautiful is writing same markup. Internet Explorer 9 supports
>> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
>> Spend less time writing and  rewriting code and more time creating great
>> experiences on the web. Be a part of the beta today.
>> http://p.sf.net/sfu/beautyoftheweb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> --
> Nigel Houghton
> Head Mentalist
> SF VRT Department of Intelligence Excellence
> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

More information about the Snort-users mailing list