Snort Rules
Please Help me, I am trying to set up SNORT on my private LAN
I have a problem with the rules, when I load snort, it says Initializing rule chains... ERROR .snortrc:1 => Port value missing in rule! Fatal Error, Quitting.. I have tried using snortconf and it still doesn't work Can anyone help me, Or tell me some filters that I should use to monitor my networks' traffic? PLEASE Thanx Canadian |
If you want to test Snort with your current config and rules, try appending "-T" on the commandline, and it'll output where errors are. This sole error doesn't mean much without proper errorlog and config.
There have been some port vars added which you must have in your config like HTTP_PORTS, ORACLE_PORTS and SHELLCODE_PORTS if you use rules that use these. Snortconf-current doesn't go beyond Snort-1.8x. |
I have included a bunch of .rules on my snort.conf
and I get this message when I try to load snort with -T ERROR /etc/snort/web-misc.rules(202) => Bad Priority setting "attempted-admin" And I get it for every rule in all the *.rules that I have included, what should I do? I have snort 1.8.3 In snort.conf I have var SHELLCODE_PORTS !80 var HTTP_PORTS 80 var ORACLE_PORTS 152 and It still returns: ERROR /etc/snort/x11.rules(9) => Bad Priority setting "unknown" 1238 Snort rules read... 1238 Option Chains linked into 163 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initializing Snort ==-- Decoding Ethernet on interface eth0 Decoding Ethernet on interface eth0 --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.3 (Build 88) By Martin Roesch (roesch@sourcefire.com, www.snort.org) Snort sucessfully loaded all rules and checked all rule chains! [root@andrew snort]# what should I do? |
You really, really first want to upgrade to Snort-1.9x if you want to keep up with the new rules coming out. Stupid of me not to ask you the version you're using first...
|
Will that fix my error msg's
|
Ok, there's a few other things we could check: did you include the classification.config before loading the rules? Are you for any chance using whitehats' rulesets?
Upgrading Snort to 1.9x is good because Snort is "more optimized" you get to use the newer rules, better preprocessors, rulehandling etc, etc. Not that it will fix your config for ya :-] |
All times are GMT -5. The time now is 03:38 AM. |