Snort mailing list archives
Help w/ Bleeding Snort Rules on XP
From: "James Bruce" <jbruce () unitedscience com>
Date: Thu, 9 Jun 2005 13:39:57 -0500
First off I'm new to snort, so sorry if my questions seem lame and newbish ;) I have snort running on an XP pc with one interface with MSSQL 8. I also have BASE using IIS and IDSCenter for email and audible alarms. Everything is working fine except when I try to use a few Bleeding snort rules. I get some errors when trying to run snort from the cmd prompt. I normally use the IDSCenter to start snort but I test the rules through the cmd prompt. Here is the output I get when I run snort from the cmd prompt. D:\win-ids\Snort\bin>D:\win-ids\Snort\bin\snort.exe -i3 -c "D:\win-ids\Snort\etc \snort.conf" -l "D:\snortlogs" Running in IDS mode Initializing Network Interface \Device\NPF_{480E21C8-4D25-4DA2-850C-BD91084F626F } --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{480E21C8-4D25-4DA2-850C-BD91084F626F } Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file D:\win-ids\Snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Using LOCAL time Conversation Config: KeepStats: 0 Conv Count: 32000 Timeout : 60 Alert Odd?: 1 Allowed IP Protocols: All Portscan2 config: log: D:\snortlogs/scan.log scanners_max: 3200 targets_max: 5000 target_limit: 5 port_limit: 20 timeout: 60 ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- alert_syslog output processor is defaulting to syslog server on 127.0.0.1 port 5 14! database: compiled support for ( mysql odbc mssql ) database: configured to use Mssql database: host = 127.0.0.1 database: port = 1433 database: database name = snort database: user = snort database: password is set database: sensor name = cube99 database: SQL Server message 5701, state 2, severity 0: Changed database context to 'snort'. Server 'CUBE99', database: SQL Server message 5701, state 1, severity 0: Changed database context to 'snort'. Server 'CUBE99', Line 1 database: sensor id = 1 database: schema version = 106 database: using the "alert" facility database: compiled support for ( mysql odbc mssql ) database: configured to use Mssql database: host = 127.0.0.1 database: port = 1433 database: database name = snort database: user = snort database: password is set database: sensor name = cube99 database: SQL Server message 5701, state 2, severity 0: Changed database context to 'snort'. Server 'CUBE99', database: SQL Server message 5701, state 1, severity 0: Changed database context to 'snort'. Server 'CUBE99', Line 1 database: sensor id = 1 database: schema version = 106 database: using the "log" facility ERROR: D:\win-ids\Snort\rules/bleeding-virus.rules(129) => getservbyname() faile d on "any" Fatal Error, Quitting.. This also happens on other rules also, plus I just seen the SQL error. Will have to look that up. ERROR: Undefined variable name: (D:\win-ids\Snort\rules/bleeding-malware.rules:1 ): Fatal Error, Quitting.. Guess I should mention how I get the rules. This might be the wrong way to do this also. All I do is copy them off the web site into notepad and save them as whatever.rules in the rules folder, then edit the snort.conf to see them. These rules work fine: include $RULE_PATH/bleeding-attack_response.rules include $RULE_PATH/bleeding-dos.rules include $RULE_PATH/bleeding-exploit.rules include $RULE_PATH/bleeding-p2p.rules include $RULE_PATH/bleeding-scan.rules include $RULE_PATH/bleeding-web.rules include $RULE_PATH/bleeding-inappropriate.rules These rules don't: #include $RULE_PATH/bleeding-custom.rules #include $RULE_PATH/bleeding-malware.rules #include $RULE_PATH/bleeding-virus.rules Does any one know how to get fix this. Any help in the right direction would be apprecited. Sorry for such a long email. Thanks, -Jimmy ------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput a projector? How fast can you ride your desk chair down the office luge track? If you want to score the big prize, get to know the little guy. Play to win an NEC 61" plasma display: http://www.necitguy.com/?r _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help w/ Bleeding Snort Rules on XP James Bruce (Jun 09)
- RE: Help w/ Bleeding Snort Rules on XP Michael Steele (Jun 09)
- <Possible follow-ups>
- RE: Help w/ Bleeding Snort Rules on XP James Bruce (Jun 10)