Snort mailing list archives
Help w/ Bleeding Snort Rules on XP
From: "James Bruce" <jbruce () unitedscience com>
Date: Thu, 9 Jun 2005 13:39:57 -0500
First off I'm new to snort, so sorry if my questions seem lame and
newbish ;)
I have snort running on an XP pc with one interface with MSSQL 8. I also
have BASE using IIS and IDSCenter for email and audible alarms.
Everything is working fine except when I try to use a few Bleeding snort
rules. I get some errors when trying to run snort from the cmd prompt. I
normally use the IDSCenter to start snort but I test the rules through
the cmd prompt. Here is the output I get when I run snort from the cmd
prompt.
D:\win-ids\Snort\bin>D:\win-ids\Snort\bin\snort.exe -i3 -c
"D:\win-ids\Snort\etc
\snort.conf" -l "D:\snortlogs"
Running in IDS mode
Initializing Network Interface
\Device\NPF_{480E21C8-4D25-4DA2-850C-BD91084F626F
}
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface
\Device\NPF_{480E21C8-4D25-4DA2-850C-BD91084F626F
}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file D:\win-ids\Snort\etc\snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
flush_data_diff_size: 500
Ports: 21 23 25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Using LOCAL time
Conversation Config:
KeepStats: 0
Conv Count: 32000
Timeout : 60
Alert Odd?: 1
Allowed IP Protocols: All
Portscan2 config:
log: D:\snortlogs/scan.log
scanners_max: 3200
targets_max: 5000
target_limit: 5
port_limit: 20
timeout: 60
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
alert_syslog output processor is defaulting to syslog server on
127.0.0.1 port 5
14!
database: compiled support for ( mysql odbc mssql )
database: configured to use Mssql
database: host = 127.0.0.1
database: port = 1433
database: database name = snort
database: user = snort
database: password is set
database: sensor name = cube99
database: SQL Server message 5701, state 2, severity 0:
Changed database context to 'snort'.
Server 'CUBE99',
database: SQL Server message 5701, state 1, severity 0:
Changed database context to 'snort'.
Server 'CUBE99', Line 1
database: sensor id = 1
database: schema version = 106
database: using the "alert" facility
database: compiled support for ( mysql odbc mssql )
database: configured to use Mssql
database: host = 127.0.0.1
database: port = 1433
database: database name = snort
database: user = snort
database: password is set
database: sensor name = cube99
database: SQL Server message 5701, state 2, severity 0:
Changed database context to 'snort'.
Server 'CUBE99',
database: SQL Server message 5701, state 1, severity 0:
Changed database context to 'snort'.
Server 'CUBE99', Line 1
database: sensor id = 1
database: schema version = 106
database: using the "log" facility
ERROR: D:\win-ids\Snort\rules/bleeding-virus.rules(129) =>
getservbyname() faile
d on "any"
Fatal Error, Quitting..
This also happens on other rules also, plus I just seen the SQL error.
Will have to look that up.
ERROR: Undefined variable name:
(D:\win-ids\Snort\rules/bleeding-malware.rules:1
):
Fatal Error, Quitting..
Guess I should mention how I get the rules. This might be the wrong way
to do this also. All I do is copy them off the web site into notepad and
save them as whatever.rules in the rules folder, then edit the
snort.conf to see them.
These rules work fine:
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-web.rules
include $RULE_PATH/bleeding-inappropriate.rules
These rules don't:
#include $RULE_PATH/bleeding-custom.rules
#include $RULE_PATH/bleeding-malware.rules
#include $RULE_PATH/bleeding-virus.rules
Does any one know how to get fix this. Any help in the right direction
would be apprecited. Sorry for such a long email.
Thanks,
-Jimmy
-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help w/ Bleeding Snort Rules on XP James Bruce (Jun 09)
- RE: Help w/ Bleeding Snort Rules on XP Michael Steele (Jun 09)
- <Possible follow-ups>
- RE: Help w/ Bleeding Snort Rules on XP James Bruce (Jun 10)