Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Need help - Fatal Error

From: "Badgley (US), Michael B" <michael.b.badgley () boeing com>
Date: Wed, 10 Apr 2019 15:56:33 +0000
Thank you for prompt reply - we are using version 2.9.0.5



I finally found a copy of the manual, and uribuf does not appear to be valid in that version - so we are removing that 
option from the urilen command and re-testing.



FOUO

Mike Badgley, CISSP

(256) 830-3836 (Desk)

GMD NIM



From: Joel Esler (jesler) [mailto:jesler () cisco com]
Sent: Wednesday, April 10, 2019 10:37 AM
To: Badgley (US), Michael B <michael.b.badgley () boeing com>
Cc: snort-users () lists snort org
Subject: Re: [Snort-users] Need help - Fatal Error



What version of Snort are you using?





   On Apr 10, 2019, at 11:28 AM, Badgley (US), Michael B <michael.b.badgley () boeing com<mailto:michael.b.badgley () 
boeing com>> wrote:



   I was handed the following rule to implement



   alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Client Header contains 'Host|3a 20|ip-api com', URI 
'/json/' (Quasar RAT)"; sid:10002; rev:1; flow:established,to_server; content:"Host|3a 20|ip-api|2e|com|0d 0a|"; 
http_header; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.3|3b| rv|3a|48.0) Gecko/20100101 
Firefox/48.0|0d 0a|"; http_header; content:"/json/"; http_uri; depth:6; urilen:6,norm; priority:2;)



   It is giving me the following - Invalid 'urilen' argument. Fatal Error.



   When I remove the urilen argument (along with ":6,norm" - the error goes away.



   The format and syntax look ok per the documentation.



   Mike Badgley, CISSP
   GMD NIM
   michael.b.badgley () boeing com<mailto:michael.b.badgley () boeing com>

   (256) 830-3836 (Desk)
   (256) 461-6187 (Outlook Phone)

   <image002.png>Certified Information Systems Security Professional (CISSP)

   Issued to Michael Badgley

   Issued by (ISC)²



   Caution:  This message may contain "For Official Use Only" (FOUO) or other information not intended for non-official 
disclosure. Do not disseminate this message, except to persons who require it for official governmental or contractual 
purposes, without the approval of the individual originating this message or other authorized official of the Missile 
Defense Agency. If you received this message in error, please notify the sender by reply email and delete it.



   _______________________________________________
   Snort-users mailing list
   Snort-users () lists snort org<mailto:Snort-users () lists snort org>
   Go to this URL to change user options or unsubscribe:
   https://lists.snort.org/mailman/listinfo/snort-users

                  To unsubscribe, send an email to:
                  snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>

   Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

   Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette




_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: