Snort mailing list archives
Re: new ruleset gives a fatal error
From: twig les <twigles () yahoo com>
Date: Mon, 19 Aug 2002 15:00:25 -0700 (PDT)
Ack! I'm a buffoon. Of course it was an old snort.conf that was missing a couple new variables like aim_servers and stuff. Sorry all, first day back from vacation. --- Matt Kettler <mkettler () evi-inc com> wrote:
Diff your snort.conf against the one that was included with the rules tarball you downloaded. There's probably a new var SHELLCODE_PORTS or var HTTP_PORTS, etc that you are missing that's used in exploit.rules line number 22. You can't use an old snort.conf with new rule files without giving the new snort.conf that comes in the tarball a quick check-over. The two are inherently inter-related, which is why the rules tarball comes with a new .conf file. At 01:30 PM 8/19/2002 -0700, twig les wrote:Hey all, I just dl'd the current ruleset today(Monday8/19/02) and now Snort won't start. Running myconfigwith -T gives me: [!] ERROR .//exploit.rules(22) => Bad port number: "(msg:"EXPLOIT" Fatal Error, Quitting.. I will paste the entire output at the end, butthat'sthe ticket right there. I've been looking thru exploit.rules and tried commenting out a few rules that looked suspicious, but no luck. Does anyoneknowwhich rule this is? Note that I have Snort 1.8.6andthis config has been running fine for months with these exact startup options. This includes weekly rules updates. =================================================== snortbox# /usr/local/bin/snort -c /usr/local/snort/snort.conf -i ti0 -T Log directory = /var/log/snort Initializing Network Interface ti0 --== Initializing Snort ==-- Decoding Ethernet on interface ti0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /usr/local/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaultsto:Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE No arguments to stream4_reassemble, settingdefaults:Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111513Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD [!] ERROR .//exploit.rules(22) => Bad port number: "(msg:"EXPLOIT" Fatal Error, Quitting.. ================================================ =====-----------------------------------------------------------All warfare is based on deception.-----------------------------------------------------------__________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com-------------------------------------------------------This sf.net email is sponsored by: OSDN - Tired ofthat same oldcell phone? Get a new here for FREE!https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users
===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- new ruleset gives a fatal error twig les (Aug 19)
- Re: new ruleset gives a fatal error twig les (Aug 19)
- Re: new ruleset gives a fatal error hackerwacker (Aug 19)
- Re: new ruleset gives a fatal error Matt Kettler (Aug 19)
- Re: new ruleset gives a fatal error twig les (Aug 19)
- Re: new ruleset gives a fatal error twig les (Aug 19)