Snort mailing list archives
Re: New netbios rules?
From: craig bowser <reswob10 () gmail com>
Date: Wed, 15 Jul 2009 14:41:48 -0400
I just got the same problem as jlay <jlay () slave-tothe-box net>. I've had v2.8.4.1 running just fine for a while, but today I updated the rules (both from Snort and from Emerging threats) and performed an 'apt-get upgrade' and suddenly I'm getting this error. I don't have either "preprocessor dcerpc2" or " preprocessor dcerpc_server: default" in my snort.conf and the entry for dce/rpc is as follows: # Per Step #2, set the following to load the dcerpc preprocessor # dynamicpreprocessor file <full path to libsf_dcerpc_preproc.so> # or use commandline option # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so> preprocessor dcerpc: \ autodetect \ max_frag_size 3000 \ memcap 100000 So it appears to be enabled. However, I looked for libsf_dcerpc_preproc.so, but that file is not present. Do I need to create one? The README.dcerpc file does not say how to format such a file. OTOH, did I screw up something updating the rules? Thanks. Craig Bowser On Tue, Jun 16, 2009 at 10:45 AM, Griffin, Chris Andrew (Chris) < cg58 () alcatel-lucent com> wrote:
I'm having the same problem +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: Warning: /etc/snort/rules/netbios.rules(24) => Unknown keyword ' dce_iface' in rule! Fatal Error, Quitting.. and I found this post: https://forums.snort.org/forums/snort-newbies/topics/snort-error-when-starting-snort-unknown-keyword-dce_iface I can't find "preprocessor dcerpc_server: default" in snort.conf to disable, but I think it's because my snort.conf is old. I'm going to try and upgrade my snort.conf to the latest version (v2.8.4.1). If you haven't upgraded your snort.conf in a while I may suggest you try the same. ________________________________ From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, June 16, 2009 10:31 AM To: jlay () slave-tothe-box net Cc: Snort Subject: Re: [Snort-users] New netbios rules? On Jun 16, 2009, at 10:17 AM, jlay () slave-tothe-box net wrote: After updating this morning I see: Jun 16 08:12:25 10.21.10.2 snort[7899]: FATAL ERROR: Warning: /usr/local/etc/snort/rules/netbios.rules(24) => Unknown keyword ' dce_iface' in rule! Version is: Version 2.8.4.1 (Build 38) Do I need to update snort? Thanks. No, but you do need to enable the dce/rpc2 preprocesor in your snort.conf -- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 [m] ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: New netbios rules? craig bowser (Jul 15)
- Re: New netbios rules? Nerijus Krukauskas (Jul 15)