Re: ERROR: ERROR /etc/snort/rules/snort.eth0.conf (97): Bad arguments to byte_test:

[Rodrigo Goya <lucent () securenet com mx>]

I bet it's the same problem, rule with SID=1882. Do a "Review" of the
rules before you push/reload, search for "1882".

Dirty Fix: Go into SnortCenter's database and find sid 1882's properties,
can't remember exactly in what table, I think it's "rule_options". You'll
find a "byte_test:" with no arguments, delete that reference in the table,
should work from there.

Why that happens? I haven't looked into it, but as Erek points out, it
must be SnortCenter messing up.

Cheers,
Rodrigo

On Sat, Jul 05, 2003 at 12:54:31PM -0400, Andre Cameron wrote:
> Hello,
>
> I need a little help.  I have Snort 2.0 and SnortCenter 1.0 w/ snort 
> agent. I setup using the enterprise install guide on the snortcenter 
> website.  Problem is after importing the rules from the net and pushing 
> them to the agent when I reload I get:
>
> ERROR: ERROR /etc/snort/rules/snort.eth0.conf (97): Bad arguments to 
> byte_test:
>
> The full message reads:
>
> 33#########33
> Reload: Current config file error:
> Running in IDS mode
> Log directory = /var/log/snort
>
> Initializing Network Interface eth0
>
> --== Initializing Snort ==--
> Rule application order changed to Pass->Alert->Log
> Initializing Output Plugins!
> Decoding Ethernet on interface eth0
> Parsing Rules file /etc/snort/rules/snort.eth0.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> Initializing Preprocessors!
> Initializing Plug-ins!
> database: compiled support for ( mysql )
> database: configured to use mysql
> database: user = snort
> database: password is set
> database: database name = snort_log
> database: host = xxx.xxx.xxx.xxx
> database: port = 3306
> database: sensor name = AUTO
> database: data encoding = ascii
> database: detail level = full
> database: sensor id = 1
> database: schema version = 106
> database: using the "log" facility
> ERROR: ERROR /etc/snort/rules/snort.eth0.conf (97): Bad arguments to 
> byte_test:
> Fatal Error, Quitting..
> 33#########33
>
> Anyone know how to fix this?
>
> Also I have a question, does anyone know of a good firewall for *Nix & 
> windows that can use a central database across multiple servers?  Maybie 
> even one that plugs in with Snort for auto blocking?
>
> Thanks in advance.
>
> Andre
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Cheers,
Rodrigo
--------------------------------------------------------------
"What is the most effective Windows NT remote management tool?
A car."
        - Network Intrusion Detection, An Analyst's Handbook
          2nd Edition, 2000
          Stephen Northcutt et al, page 147



-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users