Snort mailing list archives

Re: new ruleset gives a fatal error

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 19 Aug 2002 17:03:37 -0400

Diff your snort.conf against the one that was included with the rulestarball you downloaded.

There's probably a new var SHELLCODE_PORTS or var HTTP_PORTS, etc that youare missing that's used in exploit.rules line number 22.

You can't use an old snort.conf with new rule files without giving the newsnort.conf that comes in the tarball a quick check-over. The two areinherently inter-related, which is why the rules tarball comes with a new.conf file.


At 01:30 PM 8/19/2002 -0700, twig les wrote:

Hey all, I just dl'd the current ruleset today (Monday
8/19/02) and now Snort won't start.  Running my config
with -T gives me:

[!] ERROR .//exploit.rules(22) => Bad port number:
"(msg:"EXPLOIT"
Fatal Error, Quitting..

I will paste the entire output at the end, but that's
the ticket right there.  I've been looking thru
exploit.rules and tried commenting out a few rules
that looked suspicious, but no luck.  Does anyone know
which rule this is?  Note that I have Snort 1.8.6 and
this config has been running fine for months with
these exact startup options.  This includes weekly
rules updates.

===================================================
snortbox# /usr/local/bin/snort -c
/usr/local/snort/snort.conf -i ti0 -T
Log directory = /var/log/snort

Initializing Network Interface ti0

        --== Initializing Snort ==--
Decoding Ethernet on interface ti0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /usr/local/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
[!] ERROR .//exploit.rules(22) => Bad port number:
"(msg:"EXPLOIT"
Fatal Error, Quitting..
================================================


=====
-----------------------------------------------------------
All warfare is based on deception.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

new ruleset gives a fatal error twig les (Aug 19)
- Re: new ruleset gives a fatal error twig les (Aug 19)
  - Re: new ruleset gives a fatal error hackerwacker (Aug 19)
- Re: new ruleset gives a fatal error Matt Kettler (Aug 19)
  - Re: new ruleset gives a fatal error twig les (Aug 19)