Snort mailing list archives

Windows Snort & Rules

From: Dean Thompson <Dean.Thompson () csse monash edu au>
Date: Tue, 19 Mar 2002 14:58:28 +1100

Hi!,

  This is probably going to be an easy question to answer, but it has me
stumped at the moment.  I recently upgraded from RC2 to the release of DeMarc
and decided to test out the DeMarc Windows client on a Win2K box.

  All has gone well, the server is up and running and the Snort program has
been started as a service on the Win2K server.  Communications between the
windows client and the MySQL server are going fine.

  My problems comes when I take a look at Snort initialising itself on the
Win2K box.  It reports that it has read in 0 rules.  As a consequence of
having "zero" rules, the snort client on the Win2K machine picks up only basic
IDS incidents and doesn't apply the vast other rules that are out there in the
snort world.

  In an effort to try and get some rules into the system, I took the rules
from the snort-current package and placed them into a directory which snort
could load when it starts.  Snort was able to find the rules, but is unable to
process them correctly.  Everytime it tries to access the rules, for instance
the first line in the DNS rule set:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt";
content: "|0980 0000 0001 0000 0000|"; offset: 2; depth: 16;
reference:arachnids,277; reference:cve,CVE-1999-0009; reference:bugtraq,134;
reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon;
sid:252; rev:3;)

Will complain that the port is not defined.  Now, I am not sure whether this
is a case that the "any" variable is being mapped to a range of ports or
whether there is something else going on here.

Has anyone had a similar problem or been able to get the "snort-rules" to work
with snort under Windows ?

See ya

Dean Thompson

-- 
+____________________________+____________________________________________+
| Dean Thompson              | E-mail  - Dean.Thompson () csse monash edu au |
| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Windows Snort & Rules Dean Thompson (Mar 18)
- Re: Windows Snort & Rules Dean Thompson (Mar 18)