Snort mailing list archives
snort.conf issues
From: eric <erict70445 () gmail com>
Date: Mon, 24 Dec 2012 21:49:13 -0600
I am having a problem when testing my snort configuration file. I have Snort set up on a Vista(32bit) system following the install guide. I have set all the variables correctly as far as network and path to rules and so on. When I run the test command (snort -d -l C:\snort\log -c C:\Snort\etc\snort.conf -i 3 -T ) it seems to do well untill after checking the blacklist.rules file. After which I get the following lines in my terminal: (464) => Invalid IP Address: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTT P_PORTS (msg:"BLACKLIST URI request for known malicious URI - .sys.php?getexe="; flow:established,to_server; content:".sys.php?getexe="; nocase; http_uri; metad ata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url, www.virustotal.com/file-scan/report.html?id=ba84f21b6f1879c 2d6ce7c600cfb077cee4a172c8e0711e4ce67b32d1b315e82-1310972138; classtype:trojan-a ctivity; sid:19625; rev:1;) (466) => Invalid IP Address: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTT P_PORTS (msg:"BLACKLIST URI request for known malicious URI - /VertexNet/adduser .php?uid="; flow:established,to_server; content:"/VertexNet/adduser.php?uid=|7B| "; nocase; http_uri; content:"cmpname="; nocase; http_uri; pcre:"/\/VertexNet\/a dduser\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/Ui"; metadata:impact _flag red, policy balanced-ips drop, policy security-ips drop, service http; ref erence:url, www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd 2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; s id:19632; rev:1;) Additional address is invalid but not printed. Reputation entries loaded: 0, invalid: 92, re-defined: 0 (from file C:\Snor t\rules\rules\blacklist.rules) ERROR: c:\snort\etc\snort.conf(533) => Invalid argument: include Fatal Error, Quitting.. Could not set the event message file. I have included the last two entries the test displayed plus the error message. If anyone can give me an idea of what is going on it would be greatly appreciated. Thank you, Eric T. erict70445 () gmail com
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort.conf issues eric (Dec 25)
- Re: snort.conf issues waldo kitty (Dec 25)
- <Possible follow-ups>
- Re: snort.conf issues eric (Dec 29)
- Re: snort.conf issues eric (Dec 29)