Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort errors on startup -- rules related?

From: Ben Beeson <bwbees0 () charter net>
Date: 25 Jan 2004 20:12:59 -0800
Aloha,

I upgraded my snort today after reading the very fine book Snort 2.0
Intrusion Detection.  Currently, I am running:

-*> Snort! <*-
Version 2.1.0 (Build 9)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

on a Red Hat 7.2 box.  This install has the current rules from
snortrules-current.tar.gz dated Jan 25 01:15:12 2004 GMT obtained from
the downloads pages.  Please note that I am not a rules expert, so much
of this is a foreign language to me.  However, I thought this might be a
good learning opportunity for me so, I am looking for help. 

Anyay, after I got it all installed and tried to start it up, I get the
following two errors that I'd like to see if I can fix. (Disabling the
rules for rpc and web_misc allows snort to run, albeit without those
capabilities enabled.)  

Here is the first error message in /var/log/messages 

Jan 24 17:08:40 router snort: FATAL ERROR:
/etc/snort/rules/rpc.rules:19: Unknown Flow Option: 'to_sever' 

Now when I open up the rules for RPC.rules, the rule #19 looks just like
the surrounding rules in that it has the same format as the others.  So
why does this error out with Unknown Flow Option: 'to_server' ?  Should
tfe 'flow:to_server, established ' part of that rule be removed?



Here is the second error message:

Jan 24 17:09:19 router snort: FATAL ERROR:
/etc/snort/rules/web-misc.rules(10) => Sorry, regex isn't supported at
this time. This isn't new.

Here is the rule number 10:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Cisco IOS HTTP configuration attempt"; uricontent:"/level/*/exec/";
regex; flow:to_server,established; classtype:web-application-attack;
reference:bugtraq,2936; sid:1250;  rev:6;)

I also noted that rule number 58 uses 'regex'

Thanks in advance for your help,


Ben 




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: