Snort mailing list archives
Re: Problem using SnortCenter with Snort
From: Mike Wohlgemuth <mjw () woogie net>
Date: Mon, 30 Jun 2003 10:17:10 -0400
edward.hawkins () acuitysp com wrote:
I'm seeing this as well. I've been meaning to put together a post about it, but I hadn't had time yet. Since you've asked, here goes:I am trying to push out changes to my sensor. When I do a reload I get an error message " ERROR: ERROR /etc/snort/snort.eth0.conf (95): Bad arguments to byte_test:"
The problem is with sid 1882. If you want, you can just disable that rule and push the changes again. Here is the rule (cut and pasted from snortcenter):
( sid: *1882;* rev: *9;* msg: *"ATTACK-RESPONSES id check returned userid";* content: "uid="; byte_test: 5,<,65537,0,relative,string; content: " gid="; distance: 0; within: 15; byte_test: ; byte_test: 5,<,65537,0,relative,string; classtype: bad-unknown;)
Notice the "byte_test: ; byte_test". This is the problem. I don't see a way to edit the byte_test field from snortcenter, but I was able to use mysql to fix the rule using the following sql:
update content set byte_test='5,<,65537,0,relative,string' where sid=1882 and distance=0;
Unfortunately, every time you update the rules, you need to fix the rule again.
Mike ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem using SnortCenter with Snort edward . hawkins (Jun 30)
- Re: Problem using SnortCenter with Snort Mike Wohlgemuth (Jun 30)