Snort mailing list archives

Re: Invalid rules

From: Mike_Sands () elementk com
Date: Mon, 4 Mar 2002 11:28:31 -0500

I think that you may be experiencing a similar issue that I am having. I
have manually imported the new ruleset and attempted to restart
snort/demarc. I get an error stating
RROR ./snorteth1.conf.tst(1629) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1630) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1631) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1632) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1633) => Bad Priority setting "attempted-user"
ERROR ./snorteth1.conf.tst(1634) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1635) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1636) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1637) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1638) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1639) => Bad Priority setting "attempted-user"
ERROR ./snorteth1.conf.tst(1640) => Bad Priority setting "attempted-user"
ERROR ./snorteth1.conf.tst(1641) => Bad Priority setting "misc-activity"
ERROR ./snorteth1.conf.tst(1642) => Bad Priority setting "attempted-dos"
ERROR ./snorteth1.conf.tst(1643) => Bad Priority setting "attempted-user"
ERROR ./snorteth1.conf.tst(1644) => Bad Priority setting "attempted-user"
ERROR ./snorteth1.conf.tst(1645) => Bad Priority setting "attempted-dos"
ERROR ./snorteth1.conf.tst(1646) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1647) => Bad Priority setting "attempted-admin"
ERROR ./snorteth1.conf.tst(1648) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1649) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1650) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1651) => Bad Priority setting "attempted-admin"
ERROR ./snorteth1.conf.tst(1652) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1653) => Bad Priority setting "attempted-admin"
ERROR ./snorteth1.conf.tst(1654) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1655) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1656) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1657) => Bad Priority setting
"web-application-attack"
ERROR ./snorteth1.conf.tst(1658) => Bad Priority setting
"web-application-activity"
ERROR ./snorteth1.conf.tst(1660) => Bad Priority setting
"web-application-attack"
ERROR ./snorteth1.conf.tst(1661) => Bad Priority setting
"web-application-attack"
ERROR ./snorteth1.conf.tst(1662) => Bad Priority setting
"web-application-attack"
ERROR ./snorteth1.conf.tst(1673) => Bad Priority setting "bad-unknown"
ERROR ./snorteth1.conf.tst(1674) => Bad Priority setting "unknown"
ERROR ./snorteth1.conf.tst(1675) => Bad Priority setting "unknown"

the syntax of the rules look fine and the classification.config file is
there but snort just won't take the new ruleset.

Mike Sands
Security / Network Engineer
Office: (585) 214-1936
Fax: (585) 295-7162
Cell: 716-303-3245
Element K
'the knowledge catalyst'
www.elementk.com


|--------+--------------------------------------->
|        |          "Fontenot, Paul"             |
|        |          <Paul.Fontenot@bannerhealth.c|
|        |          om>                          |
|        |          Sent by:                     |
|        |          snort-users-admin@lists.sourc|
|        |          eforge.net                   |
|        |                                       |
|        |                                       |
|        |          02/27/2002 04:42 PM          |
|        |                                       |
|--------+--------------------------------------->
  >------------------------------------------------------------------------------------------------------------|
  |                                                                                                            |
  |       To:     "Snort (E-mail)" <snort-users () lists sourceforge net>                                         |
  |       cc:                                                                                                  |
  |                                                                                                            |
  |       Subject:     [Snort-users] Invalid rules                                                             |
  >------------------------------------------------------------------------------------------------------------|




I am evaluating Demarc and have set it to auto_update. This snort sensor
was
started up about 20 minutes ago with the auto_update set to 5 minutes. I
have gotten this below since i started running demarc. has anyone seen this
problem?

-Paul

Updating local rules
Fetching current snort.conf
Adding 1-classifications to current_ruleset
Adding ATTACK RESPONSES to current_ruleset
Adding BACKDOOR RULES to current_ruleset
Adding BAD TRAFFIC RULES to current_ruleset
Adding DDOS RULES to current_ruleset
Adding DNS RULES to current_ruleset
Adding DOS RULES to current_ruleset
Adding EXPERIMENTAL RULES to current_ruleset
Adding EXPLOIT RULES to current_ruleset
Adding FINGER RULES to current_ruleset
Adding FTP RULES to current_ruleset
Adding ICMP RULES to current_ruleset
Adding INFO RULES to current_ruleset
Adding LOCAL RULES to current_ruleset
Adding MISC RULES to current_ruleset
Adding NETBIOS RULES to current_ruleset
Adding POLICY RULES to current_ruleset
Adding PORN RULES to current_ruleset
Adding RPC RULES to current_ruleset
Adding RSERVICES RULES to current_ruleset
Adding SCAN RULES to current_ruleset
Adding SHELLCODE RULES to current_ruleset
Adding SMTP RULES to current_ruleset
Adding SQL RULES to current_ruleset
Adding TELNET RULES to current_ruleset
Adding TFTP RULES to current_ruleset
Adding VIRUS RULES to current_ruleset
Adding WEB ATTACKS to current_ruleset
Adding WEB-CGI RULES to current_ruleset
Adding WEB-COLDFUSION RULES to current_ruleset
Adding WEB-FRONTPAGE RULES to current_ruleset
Adding WEB-IIS RULES to current_ruleset
Adding WEB-MISC RULES to current_ruleset
Adding X11 RULES to current_ruleset
Appears to be an invalid ruleset / snort.conf
RULES INVALID... NOT UPDATING CURRENT RUNNING CONFIG/RULESET!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Invalid rules Fontenot, Paul (Feb 27)
- <Possible follow-ups>
- Re: Invalid rules Mike_Sands (Mar 04)
  - Re: Invalid rules Matt Kettler (Mar 04)