Snort mailing list archives
Re: New netbios rules?
From: JJ Cummings <cummingsj () gmail com>
Date: Tue, 16 Jun 2009 08:54:49 -0600
Always a good idea. Anytime a new release of snort comes out, there tend to be inherent changes to the snort.conf that address and handle the new features (i.e. dcerpc2). So please be sure to at a minimum run a diff on your curret vs the new snort.conf JJC On Tue, Jun 16, 2009 at 8:45 AM, Griffin, Chris Andrew (Chris) < cg58 () alcatel-lucent com> wrote:
I'm having the same problem +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: Warning: /etc/snort/rules/netbios.rules(24) => Unknown keyword ' dce_iface' in rule! Fatal Error, Quitting.. and I found this post: https://forums.snort.org/forums/snort-newbies/topics/snort-error-when-starting-snort-unknown-keyword-dce_iface I can't find "preprocessor dcerpc_server: default" in snort.conf to disable, but I think it's because my snort.conf is old. I'm going to try and upgrade my snort.conf to the latest version (v2.8.4.1). If you haven't upgraded your snort.conf in a while I may suggest you try the same. ________________________________ From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, June 16, 2009 10:31 AM To: jlay () slave-tothe-box net Cc: Snort Subject: Re: [Snort-users] New netbios rules? On Jun 16, 2009, at 10:17 AM, jlay () slave-tothe-box net wrote: After updating this morning I see: Jun 16 08:12:25 10.21.10.2 snort[7899]: FATAL ERROR: Warning: /usr/local/etc/snort/rules/netbios.rules(24) => Unknown keyword ' dce_iface' in rule! Version is: Version 2.8.4.1 (Build 38) Do I need to update snort? Thanks. No, but you do need to enable the dce/rpc2 preprocesor in your snort.conf -- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 [m] ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New netbios rules? jlay (Jun 16)
- Re: New netbios rules? Joel Esler (Jun 16)
- Re: New netbios rules? Griffin, Chris Andrew (Chris) (Jun 16)
- Re: New netbios rules? JJ Cummings (Jun 16)
- Re: New netbios rules? Griffin, Chris Andrew (Chris) (Jun 16)
- Re: New netbios rules? Joel Esler (Jun 16)