snort rules error

Discussion in 'HOWTO-Related Questions' started by dimgr, Jan 21, 2008.

  1. dimgr

    dimgr New Member

    Hi

    there is a how to here for setting up snort and base . I did follow it step by step but i get this error :

    Initializing rule chains...
    ERROR: (/etc/snort/rules/web-misc.rules)97 => Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent".
    Fatal Error, Quitting..


    i did comment out the relevant lines per the how to but still no luck. Anyone care to help?
    thanks
     
  2. dimgr

    dimgr New Member

    i'm sure someone has the answer;) can you help?
     
  3. dimgr

    dimgr New Member

    i can't figure out this error . Can someone help please
     
  4. falko

    falko Super Moderator ISPConfig Developer

    What's in your /etc/snort/rules/web-misc.rules?
     
  5. dimgr

    dimgr New Member

    hi

    a whole bunch of stuff... i cant paste here , its huge
     
  6. falko

    falko Super Moderator ISPConfig Developer

    What's in line 97?
     
  7. dimgr

    dimgr New Member

    line 97



    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:7;)
     
  8. wpwood3

    wpwood3 New Member

    snort.conf

    Look first at /etc/snort/snort.conf
    The most important value is HOME_NET. Everything is based on that. Here's what I have in mine:
    Code:
    var HOME_NET [10.0.0.1,10.0.0.2]
    What do you have for these values?
    Code:
     
    var EXTERNAL_NET
    var HTTP_SERVERS
    portvar HTTP_PORTS
    
    This is what I have in mine:
    Code:
     
    var EXTERNAL_NET !$HOME_NET
    var HTTP_SERVERS $HOME_NET
    portvar HTTP_PORTS [80,81]
    
     
    Last edited: Jan 23, 2008
  9. dimgr

    dimgr New Member

    Hi

    we have identical values expect the IPs .. i did some changed but i still get the same error
     
  10. wpwood3

    wpwood3 New Member

    Are you using Snort 2.7.0 ?
    I did some searching and it seems that ver-2.7.0 had that problem. You might try commenting out all the lines in web-misc.rules that cause the problem. Read this:

    http://www.snort.org/archive-1-4660.html

    I use Snort 2.8.0.1-1 and it does not have the problem.

    I see some changelog notes about this:
    * Change signatures 1443 and 1444 since there was an error in their
    definition ( Cannot use 'rawbytes' and 'http_uri' as modifiers for the
    same "content" nor use 'rawbytes' with "uricontent". )
     
  11. dimgr

    dimgr New Member

    thanks it seems to be working now


    it just idles now at Not Using PCAP_FRAMES
    is it ok?
     
  12. wpwood3

    wpwood3 New Member

    That message is normal.

    Are you running Snort in daemon mode? If not, it will just hang in your terminal until you ctrl-c to stop it. Be sure to run it in daemon mode unless you are debugging.
     

Share This Page