Re: Snort errors on startup -- rules related?

["Josh Berry" <josh.berry () netschematics com>]

It is giving an error because someone had a typo on the rule, it should be
to_server not to_sever.

The other just looks like a future rule option that does not work for
Snort yet but somehow made it into a couple of the rules (or is this used
with the pcre patch?).

> Aloha,
>
> I upgraded my snort today after reading the very fine book Snort 2.0
> Intrusion Detection.  Currently, I am running:
>
> -*> Snort! <*-
> Version 2.1.0 (Build 9)
> By Martin Roesch (roesch () sourcefire com, www.snort.org)
>
> on a Red Hat 7.2 box.  This install has the current rules from
> snortrules-current.tar.gz dated Jan 25 01:15:12 2004 GMT obtained from
> the downloads pages.  Please note that I am not a rules expert, so much
> of this is a foreign language to me.  However, I thought this might be a
> good learning opportunity for me so, I am looking for help.
>
> Anyay, after I got it all installed and tried to start it up, I get the
> following two errors that I'd like to see if I can fix. (Disabling the
> rules for rpc and web_misc allows snort to run, albeit without those
> capabilities enabled.)
>
> Here is the first error message in /var/log/messages
>
> Jan 24 17:08:40 router snort: FATAL ERROR:
> /etc/snort/rules/rpc.rules:19: Unknown Flow Option: 'to_sever'
>
> Now when I open up the rules for RPC.rules, the rule #19 looks just like
> the surrounding rules in that it has the same format as the others.  So
> why does this error out with Unknown Flow Option: 'to_server' ?  Should
> tfe 'flow:to_server, established ' part of that rule be removed?
>
>
>
> Here is the second error message:
>
> Jan 24 17:09:19 router snort: FATAL ERROR:
> /etc/snort/rules/web-misc.rules(10) => Sorry, regex isn't supported at
> this time. This isn't new.
>
> Here is the rule number 10:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
> Cisco IOS HTTP configuration attempt"; uricontent:"/level/*/exec/";
> regex; flow:to_server,established; classtype:web-application-attack;
> reference:bugtraq,2936; sid:1250;  rev:6;)
>
> I also noted that rule number 58 uses 'regex'
>
> Thanks in advance for your help,
>
>
> Ben
>
>
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


Thanks,
Josh Berry, CISSP
CTO, VP of Product Development
LinkNet-Solutions
469-831-8543
josh.berry () linknet-solutions com



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users