LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Snort Rules (https://www.linuxquestions.org/questions/linux-security-4/snort-rules-34378/)

Canadian_2k2 11-01-2002 06:10 PM
Snort Rules
 
Please Help me, I am trying to set up SNORT on my private LAN
I have a problem with the rules, when I load snort, it says

Initializing rule chains...
ERROR .snortrc:1 => Port value missing in rule!
Fatal Error, Quitting..

I have tried using snortconf and it still doesn't work
Can anyone help me,
Or tell me some filters that I should use to monitor my networks' traffic?
PLEASE

Thanx
Canadian

unSpawn 11-01-2002 06:21 PM
If you want to test Snort with your current config and rules, try appending "-T" on the commandline, and it'll output where errors are. This sole error doesn't mean much without proper errorlog and config.

There have been some port vars added which you must have in your config like HTTP_PORTS, ORACLE_PORTS and SHELLCODE_PORTS if you use rules that use these. Snortconf-current doesn't go beyond Snort-1.8x.

Canadian_2k2 11-01-2002 09:32 PM
I have included a bunch of .rules on my snort.conf
and I get this message when I try to load snort with -T
ERROR /etc/snort/web-misc.rules(202) => Bad Priority setting "attempted-admin"
And I get it for every rule in all the *.rules that I have included, what
should I do? I have snort 1.8.3
In snort.conf I have
var SHELLCODE_PORTS !80
var HTTP_PORTS 80
var ORACLE_PORTS 152
and It still returns:


ERROR /etc/snort/x11.rules(9) => Bad Priority setting "unknown"
1238 Snort rules read...
1238 Option Chains linked into 163 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

--== Initializing Snort ==--
Decoding Ethernet on interface eth0
Decoding Ethernet on interface eth0

--== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)

Snort sucessfully loaded all rules and checked all rule chains!
[root@andrew snort]#

what should I do?

unSpawn 11-01-2002 09:55 PM
You really, really first want to upgrade to Snort-1.9x if you want to keep up with the new rules coming out. Stupid of me not to ask you the version you're using first...

Canadian_2k2 11-01-2002 10:12 PM
Will that fix my error msg's

unSpawn 11-01-2002 10:24 PM
Ok, there's a few other things we could check: did you include the classification.config before loading the rules? Are you for any chance using whitehats' rulesets?

Upgrading Snort to 1.9x is good because Snort is "more optimized" you get to use the newer rules, better preprocessors, rulehandling etc, etc. Not that it will fix your config for ya :-]


All times are GMT -5. The time now is 03:38 AM.