Re: FATAL ERROR - FATAL ERROR: Unknown rule option: 'disable'.

[James Lay <jlay () slave-tothe-box net>]

So this looks like the numbers 9844 and 10007 have been prepended to the 
rule, which will blow up.  Matthew, if you're wanting to not used these 
rules with pulled pork your disablesid.conf should look like this:

1:2011581,1:2014297

If you have anything besides "alert", "block" or "#" at the start of any 
snort rules in your snort.rules files snort will most likely not start/

James

On 2016-05-26 08:55, Shirkdog wrote:
> Is this the output from your snort.rules? There are extra spaces in
> those rules that should not be there, and disable: is not a valid rule
> option. Are you trying to disable/modify these signatures with
> pulledpork?
>
> On May 26, 2016 10:46 AM, "Matthew White" <on3moda () gmail com> wrote:
>
> > FYI rules from pulledpork breaking snort. Commented them out.
> >
> > 9844 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> > POLICY Vulnerable Java Version 1.5.x Detected";
> > flow:established,to_server; content:" Java/1.5."; nocase; h
> > ttp_header; disable:set,ET.http.javaclient.vulnerable; threshold:
> > type limit, count 2, seconds 300, track by_src;
> > reference:url,javatester.org/version.html [1]; classtype:ba
> > d-unknown; sid:2011581; rev:9;)
> >
> > 10007 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> > POLICY Vulnerable Java Version 1.7.x Detected";
> > flow:established,to_server; content:" Java/1.7.0_"; http_he
> > ader; content:!"99"; within:2; http_header;
> > disable:set,ET.http.javaclient.vulnerable; threshold: type limit,
> > count 2, seconds 300, track by_src; reference:url,javateste
> > r.org/version.html [2];
> > reference:url,java.com/en/download/manual_java7.jsp [3];
> > classtype:bad-unknown; sid:2014297; rev:41;)
> >
> > On Wed, May 25, 2016 at 8:23 PM, Joel Esler (jesler)
> > <jesler () cisco com> wrote:
> >
> > What does line 9844 of the snort.rules file say?
> >
> > "vi +9844 snort.rules”
> >
> > will take you right to it.
> >
> > --
> > JOEL ESLER
> > Manager, Talos Group
> >
> > On May 25, 2016, at 8:59 PM, Matthew White <on3moda () gmail com>
> > wrote:
> >
> > After modifying my pulledpork.conf file I now get the following.
> >
> > FATAL ERROR: /etc/snort/rules/snort.rules(9844) Unknown rule option:
> > 'disable'.
> >
> > Not seeing this in forums. Any ideas?
> ------------------------------------------------------------------------------
> > Mobile security can be enabling, not merely restricting. Employees
> > who
> > bring their own devices (BYOD) to work are irked by the imposition
> > of MDM
> > restrictions. Mobile Device Manager Plus allows you to control only
> > the
> > apps on BYO-devices by containerizing them, leaving personal data
> > untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of
> MDM
> restrictions. Mobile Device Manager Plus allows you to control only
> the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> Links:
> ------
> [1] http://javatester.org/version.html
> [2] http://r.org/version.html
> [3] http://java.com/en/download/manual_java7.jsp
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of 
> MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data 
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!