Re: Problem using SnortCenter with Snort

[Mike Wohlgemuth <mjw () woogie net>]

edward.hawkins () acuitysp com wrote:

> I am trying to push out changes to my sensor. When I do a reload I get an
> error message " ERROR: ERROR /etc/snort/snort.eth0.conf (95): Bad arguments
> to byte_test:"
>  
I'm seeing this as well.  I've been meaning to put together a post about 
it, but I hadn't had time yet.  Since you've asked, here goes:

The problem is with sid 1882.  If you want, you can just disable that 
rule and push the changes again.  Here is the rule (cut and pasted from 
snortcenter):

( sid: *1882;* rev: *9;* msg: *"ATTACK-RESPONSES id check returned 
userid";* content: "uid="; byte_test: 5,<,65537,0,relative,string; 
content: " gid="; distance: 0; within: 15; byte_test: ; byte_test: 
5,<,65537,0,relative,string; classtype: bad-unknown;)

Notice the "byte_test: ; byte_test".  This is the problem.  I don't see 
a way to edit the byte_test field from snortcenter, but I was able to 
use mysql to fix the rule using the following sql:

update content set byte_test='5,<,65537,0,relative,string' where 
sid=1882 and distance=0;

Unfortunately, every time you update the rules, you need to fix the rule 
again.

Mike




-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users