RE: Snort rules touble.

[Jason Gauthier <jgauthier () lastar com>]

I understand now.

The rules supplied separately have variables supplied for the ports.
The rules supplied with the distribution have them staticly entered.

Thanks a lot!



> -----Original Message-----
> From: Slighter, Tim [mailto:tslighter () itc nrcs usda gov]
> Sent: Friday, June 21, 2002 2:36 PM
> To: 'Jason Gauthier'; snort-users () lists sourceforge net
> Subject: RE: [Snort-users] Snort rules touble.
>
>
> Just like Matt Kettler said,  and pretty sure he is right.  You need to
> stick with the rules that come with the 1.86 build and NOT use the
> snortrules.tar.gz
>
> -----Original Message-----
> From: Jason Gauthier [mailto:jgauthier () lastar com]
> Sent: Friday, June 21, 2002 12:01 PM
> To: snort-users () lists sourceforge net
> Subject: RE: [Snort-users] Snort rules touble.
>
>
> Since my original mailing I recieved several other email asking what I
> downloaded, what I was using, I'm mixing version, etc.
>
> Let me clarify:
> Orignally I downloaded and installed snort-1.8.6, and it's rules.
> Compiled, and installed.
>
> Snort didn't with with the following command:
> /opt/snort/bin/snort -dev -l /opt/snort/logs/ -c 
> /opt/snort/etc/snort.conf
>
> So, i deleted it, and tried current.
> This is where I ran into the problem I posted.
>
> Taking your advices to heart, as I am relatively new to the 
> product, I began
> again.
>
> The following is what I have just done with snort-1.8.6:
> rm -r /opt/snort
> configured, compiled, installed snort into /opt/snort.
> made the following directories:
> /opt/snort/etc
> /opt/snort/logs
> /opt/snort/rules
>
> move all rules from snortrules.tar.gz to /opt/gnome/rules.
> copied snort.conf and classifications.conf to /opt/gnome/etc
> Edited snort.conf
> Canged my HOME_NET and RULE_PATH, along with uncommenting the 
> commented out
> rules.
>
> Ran the following command:
> /opt/snort/bin/snort -dev -l /opt/snort/logs/ -c 
> /opt/snort/etc/snort.conf
>
> Receive the following error:
> [!] ERROR /opt/snort/rules/web-cgi.rules(8) => Bad port number:
> "(msg:"WEB-CGI"
>
> Which happens to be the same error I ran into the first time I 
> ran snort.
>
> I commented out line #8, which is the first line of the rule.
> Then I get the same error with line #9. (As I was suspecting)
>
> So, i tied to remove web-cgi.
> The next rule in the list web-coldfusion spits out an error.
> I remove coldfusion...
> The next rule in the list web-iis spits out an error.
>
> At this point, I'm back here.
>
> Any ideas?
> Again: snort 1.8.6, with snortrules.tar.gz
> Straight from the snort website.
>
> (The rules dates today)
>
>
>
>
> > -----Original Message-----
> > From: Matt Kettler [mailto:mkettler () evi-inc com]
> > Sent: Friday, June 21, 2002 1:11 PM
> > To: Jason Gauthier; snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] Snort rules touble.
> >
> >
> > It would sound like you are trying to use rules which are for 
> > snort-current 
> > (aka: development version) on a snort which is snort 1.8.6.
> >
> > Either that or you are using a "rule management" tool (I 
> > forget the name.. 
> > hogwash was it?) that has a default behavior of uncommenting 
> > all the rules 
> > before it runs. There's a command line switch to stop that.
> >
> > Any rule with the word "flow" in it is not intended for snort 
> 1.8.6 or 
> > earlier, but 1.8.6's ruleset has a few with that keyword in 
> > it, which are 
> > commented out in the files. Try re-extracting your rules files 
> > from the 
> > snort 1.8.6 source tarball and not running them through any tools.
> >
> >
> > At 12:21 PM 6/21/2002 -0400, Jason Gauthier wrote:
> > > Greetings-
> > >
> > > I just installed snort, so I'm a completely new user. I've 
> > been reading many
> > > documents about set up, configs, etc.  I realize snort is a 
> > complicated
> > > piece of software.
> > >
> > >
> > > Anyway, I compiled and installed snort without issue.  I 
> extracted the
> > > rules, read the documentation on how to start it.  I edit a 
> > snort.conf, and
> > > was ready to go.
> > >
> > > I executed:
> > >
> > > /opt/snort/bin/snort -dev -l /opt/snort/logs -c 
> > /opt/snort/etc/snort.conf
> > > Starts up and the errors out:
> > > ERROR /opt/snort/rules/bad-traffic.rules(19) => Bad protocol 
> > name ">134"
> > > Eh, Not too bad. So i read some more, and then edit the rule.
> > > I decide to comment it out, so I can fix it later, for now, I 
> > would like to
> > > get snort running.
> > >
> > > Immediately follows:
> > > ERROR: /opt/snort/rules/exploit.rules(7) => Unknown keyword 
> > "flow" in rule!
> > > So, i check out this rule file and notice they all have 
> > "flow" in them.
> > > I now decide something is completely wrong :)
> > >
> > > This is "current", as I had the same problems with the rules 
> > with 1.8.6.
> > > Appreciate any insight.
>
>
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users