Snort mailing list archives
Re: new ruleset gives a fatal error
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 19 Aug 2002 17:03:37 -0400
Diff your snort.conf against the one that was included with the rules tarball you downloaded.
There's probably a new var SHELLCODE_PORTS or var HTTP_PORTS, etc that you are missing that's used in exploit.rules line number 22.
You can't use an old snort.conf with new rule files without giving the new snort.conf that comes in the tarball a quick check-over. The two are inherently inter-related, which is why the rules tarball comes with a new .conf file.
At 01:30 PM 8/19/2002 -0700, twig les wrote:
Hey all, I just dl'd the current ruleset today (Monday 8/19/02) and now Snort won't start. Running my config with -T gives me: [!] ERROR .//exploit.rules(22) => Bad port number: "(msg:"EXPLOIT" Fatal Error, Quitting.. I will paste the entire output at the end, but that's the ticket right there. I've been looking thru exploit.rules and tried commenting out a few rules that looked suspicious, but no luck. Does anyone know which rule this is? Note that I have Snort 1.8.6 and this config has been running fine for months with these exact startup options. This includes weekly rules updates. =================================================== snortbox# /usr/local/bin/snort -c /usr/local/snort/snort.conf -i ti0 -T Log directory = /var/log/snort Initializing Network Interface ti0 --== Initializing Snort ==-- Decoding Ethernet on interface ti0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /usr/local/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD [!] ERROR .//exploit.rules(22) => Bad port number: "(msg:"EXPLOIT" Fatal Error, Quitting.. ================================================ ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- new ruleset gives a fatal error twig les (Aug 19)
- Re: new ruleset gives a fatal error twig les (Aug 19)
- Re: new ruleset gives a fatal error hackerwacker (Aug 19)
- Re: new ruleset gives a fatal error Matt Kettler (Aug 19)
- Re: new ruleset gives a fatal error twig les (Aug 19)
- Re: new ruleset gives a fatal error twig les (Aug 19)