[Snort-users] Snort errors on startup -- rules related?
This is a discussion on [Snort-users] Snort errors on startup -- rules related? within the Snort forums, part of the System Security and Security Related category; Aloha, I upgraded my snort today after reading the very fine book Snort 2.0 Intrusion Detection. Currently, I am ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-28-2004
|
|||
|
|||
[Snort-users] Snort errors on startup -- rules related?
Aloha,
I upgraded my snort today after reading the very fine book Snort 2.0 Intrusion Detection. Currently, I am running: -*> Snort! <*- Version 2.1.0 (Build 9) By Martin Roesch (roesch@sourcefire.com, www.snort.org) on a Red Hat 7.2 box. This install has the current rules from snortrules-current.tar.gz dated Jan 25 01:15:12 2004 GMT obtained from the downloads pages. Please note that I am not a rules expert, so much of this is a foreign language to me. However, I thought this might be a good learning opportunity for me so, I am looking for help. Anyay, after I got it all installed and tried to start it up, I get the following two errors that I'd like to see if I can fix. (Disabling the rules for rpc and web_misc allows snort to run, albeit without those capabilities enabled.) Here is the first error message in /var/log/messages Jan 24 17:08:40 router snort: FATAL ERROR: /etc/snort/rules/rpc.rules:19: Unknown Flow Option: 'to_sever' Now when I open up the rules for RPC.rules, the rule #19 looks just like the surrounding rules in that it has the same format as the others. So why does this error out with Unknown Flow Option: 'to_server' ? Should tfe 'flow:to_server, established ' part of that rule be removed? Here is the second error message: Jan 24 17:09:19 router snort: FATAL ERROR: /etc/snort/rules/web-misc.rules(10) => Sorry, regex isn't supported at this time. This isn't new. Here is the rule number 10: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco IOS HTTP configuration attempt"; uricontent:"/level/*/exec/"; regex; flow:to_server,established; classtype:web-application-attack; reference:bugtraq,2936; sid:1250; rev:6;) I also noted that rule number 58 uses 'regex' Thanks in advance for your help, Ben ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
