Snort mailing list archives
Re: Snort 2.9.0 DCE RPC error [SOLVED] and more
From: "James Lay" <jlay () slave-tothe-box net>
Date: Tue, 5 Oct 2010 09:40:46 -0600
Yea that fixed the web-client.rules issue. For a taste of the fun, here's a breakdown of this upgrade: wget, extract, configure, compile, install daq wget, extract, configure, compile, install libdnet wget, extract, configure, compile, install libpcap (this is on me..12.1 slackware ;)) wget, extract, configure, compile, install snort modify snort.conf to match the old snort.conf (pretty easy this go round) run /usr/local/bin/create-sidmap.pl to create new sid-map file run snort -T -c /usr/local/etc/snort/snort.conf for testing remove old libs from /usr/local/lib/snort_dynamic* run snort -T -c /usr/local/etc/snort/snort.conf for testing comment out lines 5347, 539 in web-client.rules run snort -T -c /usr/local/etc/snort/snort.conf for testing (success) wget, extract, copy over newly posted (at least for me) new snortrules run /usr/local/bin/create-sidmap.pl to create new sid-map file run snort -T -c /usr/local/etc/snort/snort.conf for testing (success) run /etc/rc.d/rc.snort and monitor cpu/mem usage Those of you who get a nifty package should count your blessings :P Running smooth here thank you. James
The 2.9 rules are available for registered users already. See http://www.snort.org/snort-rules/?#rules Great URI I know, did I mention we don't run the infrastructure recently? On Tue, 5 Oct 2010 08:41:38 -0600, James Lay wrote:Hey All, Did an upgrade from 2.8.6.1 to 2.9.0 from source on Slackware 12.1. Below is the error I saw: ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1) After checking /usr/local/lib/snort_dynamicpreprocessor, lo and behold, old libs. Nuked those out, but then I got: ERROR: /usr/local/etc/snort/rules/web-client.rules(357) byte_test option has bad comparison value: 186a0. ERROR: /usr/local/etc/snort/rules/web-client.rules(359) byte_test option has bad comparison value: 186a0. Which leads me to a question and feature request. Can snort include something in the future to detect old libs? I've seen ntop do this, so I think it's possible. And in regards to the rules, what do shmoes like me do when we upgrade, but aren't using VRT rules? I'm now running 2.9.0 on 2.8.6.1 rules, and as seen above, that's not always a pretty scene as I've had to comment out the above rules. However, as I understand it, I won't have access to 2.9.0 rules for another month, yes? What's the best course of action? Wait a month to upgrade when the new rulesets mesh with the new version of snort? Or plod ahead in hopes that old version rules work with new version snort? Is there no way to do a new snort release coupled with, if not a complete initial new ruleset, at least certain sets (web-clients.rules) that fix surprises like the above? Danke, thanks, and all that stuff. James------------------------------------------------------------------------------Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.9.0 DCE RPC error [SOLVED] and more James Lay (Oct 05)
- Re: Snort 2.9.0 DCE RPC error [SOLVED] and more Nigel Houghton (Oct 05)
- Re: Snort 2.9.0 DCE RPC error [SOLVED] and more James Lay (Oct 05)
- Re: Snort 2.9.0 DCE RPC error [SOLVED] and more James Lay (Oct 05)
- Re: Snort 2.9.0 DCE RPC error [SOLVED] and more waldo kitty (Oct 05)
- Re: Snort 2.9.0 DCE RPC error [SOLVED] and more Jason Brvenik (Oct 05)
- Re: Snort 2.9.0 DCE RPC error [SOLVED] and more waldo kitty (Oct 05)
- Re: Snort 2.9.0 DCE RPC error [SOLVED] and more Nigel Houghton (Oct 05)