[Snort-users] snort.conf issues

eric erict70445 at ...11827...
Mon Dec 24 22:49:13 EST 2012


I am having a problem when testing my snort configuration file. I have
Snort set up on a Vista(32bit) system following the install guide. I have
set all the variables correctly as far as network and path to rules and so
on. When I run the test command (snort -d -l C:\snort\log -c
C:\Snort\etc\snort.conf -i 3 -T ) it seems to do well untill after checking
the blacklist.rules file. After which I get the following lines in my
terminal:

(464) => Invalid IP Address: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTT
P_PORTS (msg:"BLACKLIST URI request for known malicious URI -
.sys.php?getexe=";
 flow:established,to_server; content:".sys.php?getexe="; nocase; http_uri;
metad
ata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
service
 http; reference:url,
www.virustotal.com/file-scan/report.html?id=ba84f21b6f1879c
2d6ce7c600cfb077cee4a172c8e0711e4ce67b32d1b315e82-1310972138;
classtype:trojan-a
ctivity; sid:19625; rev:1;)
      (466) => Invalid IP Address: alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTT
P_PORTS (msg:"BLACKLIST URI request for known malicious URI -
/VertexNet/adduser
.php?uid="; flow:established,to_server;
content:"/VertexNet/adduser.php?uid=|7B|
"; nocase; http_uri; content:"cmpname="; nocase; http_uri;
pcre:"/\/VertexNet\/a
dduser\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/Ui";
metadata:impact
_flag red, policy balanced-ips drop, policy security-ips drop, service
http; ref
erence:url,
www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd
2c8e56135c86068e78332c482a1afc862688bb8-1311841310;
classtype:trojan-activity; s
id:19632; rev:1;)
      Additional address is invalid but not printed.
    Reputation entries loaded: 0, invalid: 92, re-defined: 0  (from file
C:\Snor
t\rules\rules\blacklist.rules)
ERROR:  c:\snort\etc\snort.conf(533) => Invalid argument: include
Fatal Error, Quitting..
Could not set the event message file.

I have included the last two entries the test displayed plus the error
message. If anyone can give me an idea of what is going on it would be
greatly appreciated.


Thank you,
Eric T.
erict70445 at ...11827...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121224/180b758d/attachment.html>


More information about the Snort-users mailing list