Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Need help - Fatal Error

From: "Badgley (US), Michael B" <michael.b.badgley () boeing com>
Date: Wed, 10 Apr 2019 16:18:22 +0000
That was the issue – our version does not support the uribuf command.  Fatal error resolved.

Thank you for your rapid replies.

FOUO
Mike Badgley, CISSP
(256) 830-3836 (Desk)
GMD NIM

From: Al Lewis (allewi) [mailto:allewi () cisco com]
Sent: Wednesday, April 10, 2019 10:39 AM
To: Badgley (US), Michael B <michael.b.badgley () boeing com>; snort-users () lists snort org
Subject: Re: [Snort-users] Need help - Fatal Error

What version of snort are you using? (snort -V).



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>


From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
"Badgley (US), Michael B" <michael.b.badgley () boeing com<mailto:michael.b.badgley () boeing com>>
Date: Wednesday, April 10, 2019 at 11:31 AM
To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort 
org<mailto:snort-users () lists snort org>>
Subject: [Snort-users] Need help - Fatal Error

I was handed the following rule to implement

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Client Header contains 'Host|3a 20|ip-api com', URI 
'/json/' (Quasar RAT)"; sid:10002; rev:1; flow:established,to_server; content:"Host|3a 20|ip-api|2e|com|0d 0a|"; 
http_header; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.3|3b| rv|3a|48.0) Gecko/20100101 
Firefox/48.0|0d 0a|"; http_header; content:"/json/"; http_uri; depth:6; urilen:6,norm; priority:2;)

It is giving me the following - Invalid 'urilen' argument. Fatal Error.

When I remove the urilen argument (along with “:6,norm” – the error goes away.

The format and syntax look ok per the documentation.

Mike Badgley, CISSP
GMD NIM
michael.b.badgley () boeing com<mailto:michael.b.badgley () boeing com>
(256) 830-3836 (Desk)
(256) 461-6187 (Outlook Phone)
[https://acclaim-production-app.s3.amazonaws.com/images/795d92b5-2245-4df8-b910-4daff06c65d7/isc2_cissp.png]Certified 
Information Systems Security Professional (CISSP)
Issued to Michael Badgley
Issued by (ISC)²

Caution:  This message may contain "For Official Use Only" (FOUO) or other information not intended for non-official 
disclosure. Do not disseminate this message, except to persons who require it for official governmental or contractual 
purposes, without the approval of the individual originating this message or other authorized official of the Missile 
Defense Agency. If you received this message in error, please notify the sender by reply email and delete it.



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: