LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-01-2002, 06:10 PM   #1
Canadian_2k2
Member
 
Registered: Oct 2002
Location: BC,Canada
Distribution: Debian
Posts: 92

Rep: Reputation: 15
Snort Rules


Please Help me, I am trying to set up SNORT on my private LAN
I have a problem with the rules, when I load snort, it says

Initializing rule chains...
ERROR .snortrc:1 => Port value missing in rule!
Fatal Error, Quitting..

I have tried using snortconf and it still doesn't work
Can anyone help me,
Or tell me some filters that I should use to monitor my networks' traffic?
PLEASE

Thanx
Canadian
 
Old 11-01-2002, 06:21 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,452
Blog Entries: 54

Rep: Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895
If you want to test Snort with your current config and rules, try appending "-T" on the commandline, and it'll output where errors are. This sole error doesn't mean much without proper errorlog and config.

There have been some port vars added which you must have in your config like HTTP_PORTS, ORACLE_PORTS and SHELLCODE_PORTS if you use rules that use these. Snortconf-current doesn't go beyond Snort-1.8x.
 
Old 11-01-2002, 09:32 PM   #3
Canadian_2k2
Member
 
Registered: Oct 2002
Location: BC,Canada
Distribution: Debian
Posts: 92

Original Poster
Rep: Reputation: 15
I have included a bunch of .rules on my snort.conf
and I get this message when I try to load snort with -T
ERROR /etc/snort/web-misc.rules(202) => Bad Priority setting "attempted-admin"
And I get it for every rule in all the *.rules that I have included, what
should I do? I have snort 1.8.3
In snort.conf I have
var SHELLCODE_PORTS !80
var HTTP_PORTS 80
var ORACLE_PORTS 152
and It still returns:


ERROR /etc/snort/x11.rules(9) => Bad Priority setting "unknown"
1238 Snort rules read...
1238 Option Chains linked into 163 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

--== Initializing Snort ==--
Decoding Ethernet on interface eth0
Decoding Ethernet on interface eth0

--== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)

Snort sucessfully loaded all rules and checked all rule chains!
[root@andrew snort]#

what should I do?
 
Old 11-01-2002, 09:55 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,452
Blog Entries: 54

Rep: Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895
You really, really first want to upgrade to Snort-1.9x if you want to keep up with the new rules coming out. Stupid of me not to ask you the version you're using first...
 
Old 11-01-2002, 10:12 PM   #5
Canadian_2k2
Member
 
Registered: Oct 2002
Location: BC,Canada
Distribution: Debian
Posts: 92

Original Poster
Rep: Reputation: 15
Will that fix my error msg's
 
Old 11-01-2002, 10:24 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,452
Blog Entries: 54

Rep: Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895
Ok, there's a few other things we could check: did you include the classification.config before loading the rules? Are you for any chance using whitehats' rulesets?

Upgrading Snort to 1.9x is good because Snort is "more optimized" you get to use the newer rules, better preprocessors, rulehandling etc, etc. Not that it will fix your config for ya :-]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort, Rules Tredo Linux - Security 1 12-20-2004 12:36 AM
Snort rules> priority linuxtommy Linux - Security 1 09-12-2004 09:35 PM
snort rules to vulns not yet published zuessh Linux - Security 1 02-12-2004 02:17 PM
updating snort rules zuessh Linux - Security 2 11-26-2003 01:11 PM
Snort configuration/ rules file bripage Linux - General 2 09-26-2002 04:52 AM


All times are GMT -5. The time now is 09:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration