Snort mailing list archives
Re: Need help - Fatal Error
From: "Badgley (US), Michael B" <michael.b.badgley () boeing com>
Date: Wed, 10 Apr 2019 16:18:22 +0000
That was the issue – our version does not support the uribuf command. Fatal error resolved. Thank you for your rapid replies. FOUO Mike Badgley, CISSP (256) 830-3836 (Desk) GMD NIM From: Al Lewis (allewi) [mailto:allewi () cisco com] Sent: Wednesday, April 10, 2019 10:39 AM To: Badgley (US), Michael B <michael.b.badgley () boeing com>; snort-users () lists snort org Subject: Re: [Snort-users] Need help - Fatal Error What version of snort are you using? (snort -V). Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of "Badgley (US), Michael B" <michael.b.badgley () boeing com<mailto:michael.b.badgley () boeing com>> Date: Wednesday, April 10, 2019 at 11:31 AM To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>> Subject: [Snort-users] Need help - Fatal Error I was handed the following rule to implement alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Client Header contains 'Host|3a 20|ip-api com', URI '/json/' (Quasar RAT)"; sid:10002; rev:1; flow:established,to_server; content:"Host|3a 20|ip-api|2e|com|0d 0a|"; http_header; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.3|3b| rv|3a|48.0) Gecko/20100101 Firefox/48.0|0d 0a|"; http_header; content:"/json/"; http_uri; depth:6; urilen:6,norm; priority:2;) It is giving me the following - Invalid 'urilen' argument. Fatal Error. When I remove the urilen argument (along with “:6,norm” – the error goes away. The format and syntax look ok per the documentation. Mike Badgley, CISSP GMD NIM michael.b.badgley () boeing com<mailto:michael.b.badgley () boeing com> (256) 830-3836 (Desk) (256) 461-6187 (Outlook Phone) [https://acclaim-production-app.s3.amazonaws.com/images/795d92b5-2245-4df8-b910-4daff06c65d7/isc2_cissp.png]Certified Information Systems Security Professional (CISSP) Issued to Michael Badgley Issued by (ISC)² Caution: This message may contain "For Official Use Only" (FOUO) or other information not intended for non-official disclosure. Do not disseminate this message, except to persons who require it for official governmental or contractual purposes, without the approval of the individual originating this message or other authorized official of the Missile Defense Agency. If you received this message in error, please notify the sender by reply email and delete it.
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Need help - Fatal Error Badgley (US), Michael B (Apr 10)
- Re: Need help - Fatal Error Joel Esler (jesler) via Snort-users (Apr 10)
- Re: Need help - Fatal Error Badgley (US), Michael B (Apr 10)
- Re: Need help - Fatal Error Joel Esler (jesler) via Snort-users (Apr 10)
- Re: Need help - Fatal Error Joel Esler (jesler) via Snort-users (Apr 10)
- Re: Need help - Fatal Error Badgley (US), Michael B (Apr 10)
- Re: Need help - Fatal Error Joel Esler (jesler) via Snort-users (Apr 10)
- <Possible follow-ups>
- Re: Need help - Fatal Error Al Lewis (allewi) via Snort-users (Apr 10)
- Re: Need help - Fatal Error Badgley (US), Michael B (Apr 10)
- Re: Need help - Fatal Error Badgley (US), Michael B (Apr 10)