Snort mailing list archives
Re: Need help - Fatal Error
From: "Badgley (US), Michael B" <michael.b.badgley () boeing com>
Date: Wed, 10 Apr 2019 15:56:33 +0000
Thank you for prompt reply - we are using version 2.9.0.5 I finally found a copy of the manual, and uribuf does not appear to be valid in that version - so we are removing that option from the urilen command and re-testing. FOUO Mike Badgley, CISSP (256) 830-3836 (Desk) GMD NIM From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: Wednesday, April 10, 2019 10:37 AM To: Badgley (US), Michael B <michael.b.badgley () boeing com> Cc: snort-users () lists snort org Subject: Re: [Snort-users] Need help - Fatal Error What version of Snort are you using? On Apr 10, 2019, at 11:28 AM, Badgley (US), Michael B <michael.b.badgley () boeing com<mailto:michael.b.badgley () boeing com>> wrote: I was handed the following rule to implement alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Client Header contains 'Host|3a 20|ip-api com', URI '/json/' (Quasar RAT)"; sid:10002; rev:1; flow:established,to_server; content:"Host|3a 20|ip-api|2e|com|0d 0a|"; http_header; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.3|3b| rv|3a|48.0) Gecko/20100101 Firefox/48.0|0d 0a|"; http_header; content:"/json/"; http_uri; depth:6; urilen:6,norm; priority:2;) It is giving me the following - Invalid 'urilen' argument. Fatal Error. When I remove the urilen argument (along with ":6,norm" - the error goes away. The format and syntax look ok per the documentation. Mike Badgley, CISSP GMD NIM michael.b.badgley () boeing com<mailto:michael.b.badgley () boeing com> (256) 830-3836 (Desk) (256) 461-6187 (Outlook Phone) <image002.png>Certified Information Systems Security Professional (CISSP) Issued to Michael Badgley Issued by (ISC)² Caution: This message may contain "For Official Use Only" (FOUO) or other information not intended for non-official disclosure. Do not disseminate this message, except to persons who require it for official governmental or contractual purposes, without the approval of the individual originating this message or other authorized official of the Missile Defense Agency. If you received this message in error, please notify the sender by reply email and delete it. _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Need help - Fatal Error Badgley (US), Michael B (Apr 10)
- Re: Need help - Fatal Error Joel Esler (jesler) via Snort-users (Apr 10)
- Re: Need help - Fatal Error Badgley (US), Michael B (Apr 10)
- Re: Need help - Fatal Error Joel Esler (jesler) via Snort-users (Apr 10)
- Re: Need help - Fatal Error Joel Esler (jesler) via Snort-users (Apr 10)
- Re: Need help - Fatal Error Badgley (US), Michael B (Apr 10)
- Re: Need help - Fatal Error Joel Esler (jesler) via Snort-users (Apr 10)
- <Possible follow-ups>
- Re: Need help - Fatal Error Al Lewis (allewi) via Snort-users (Apr 10)
- Re: Need help - Fatal Error Badgley (US), Michael B (Apr 10)
- Re: Need help - Fatal Error Badgley (US), Michael B (Apr 10)