Re: Snort 2.9.0 DCE RPC error [SOLVED] and more

["James Lay" <jlay () slave-tothe-box net>]

Nice ;)  Ten minutes ago VRT Certified only had 2.9.0 beta and there was
nothing for 2.9.0 under VRT registered...I'll snag the new rules and
install.  Thanks for the quick response.

James

> The 2.9 rules are available for registered users already. See
> http://www.snort.org/snort-rules/?#rules
>
> Great URI I know, did I mention we don't run the infrastructure
> recently?
>
> On Tue, 5 Oct 2010 08:41:38 -0600, James Lay wrote:
> > Hey All,
> >
> > Did an upgrade from 2.8.6.1 to 2.9.0 from source on Slackware 12.1.
> > Below
> > is the error I saw:
> >
> > ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version
> > 1.1.5
> > (-1)
> >
> > After checking /usr/local/lib/snort_dynamicpreprocessor, lo and behold,
> > old libs.  Nuked those out, but then I got:
> >
> > ERROR: /usr/local/etc/snort/rules/web-client.rules(357) byte_test option
> > has bad comparison value: 186a0.
> >
> > ERROR: /usr/local/etc/snort/rules/web-client.rules(359) byte_test option
> > has bad comparison value: 186a0.
> >
> > Which leads me to a question and feature request.  Can snort include
> > something in the future to detect old libs?  I've seen ntop do this, so
> > I
> > think it's possible.  And in regards to the rules, what do shmoes like
> > me
> > do when we upgrade, but aren't using VRT rules?  I'm now running 2.9.0
> > on
> > 2.8.6.1 rules, and as seen above, that's not always a pretty scene as
> > I've
> > had to comment out the above rules.  However, as I understand it, I
> > won't
> > have access to 2.9.0 rules for another month, yes?  What's the best
> > course
> > of action?  Wait a month to upgrade when the new rulesets mesh with the
> > new version of snort?  Or plod ahead in hopes that old version rules
> > work
> > with new version snort?  Is there no way to do a new snort release
> > coupled
> > with, if not a complete initial new ruleset, at least certain sets
> > (web-clients.rules) that fix surprises like the above?
> >
> > Danke, thanks, and all that stuff.
> >
> > James
> ------------------------------------------------------------------------------
> > Beautiful is writing same markup. Internet Explorer 9 supports
> > standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> > Spend less time writing and  rewriting code and more time creating great
> > experiences on the web. Be a part of the beta today.
> > http://p.sf.net/sfu/beautyoftheweb
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT Department of Intelligence Excellence
> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users