Discussion:
[Snort-users] getservbyname() failed on "any" when pushing snort conf
(too old to reply)
martin
2006-05-19 15:34:43 UTC
Permalink
This is strange but the problem reappeared. I removed all instances o
"any" in the variables. Now I am getting the following

ERROR: Warning: /etc/snort/snort.eth1.conf(1077) => Unknown keyword
(msg' in rule
Fatal Error, Quitting.

I fixed the rule (seems like it was a bad rule from bleeding snort)
THat went away but now I get

ERROR: /etc/snort/snort.eth1.conf(1148) => getservbyname() failed on "any

Fatal Error, Quitting.

That line is
alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639 ( sid: 2001430
rev: 8; msg: "BLEEDING-EDGE WORM Bofra Victim Accessing Reacto
Page"; flow: from_client,established; content: "GET "; nocase
content: "reactor"; nocase; reference
url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631
reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e
@mm.html
classtype: trojan-activity; priority: 1;

I am thinking that it could be due to my older snort version. Which i
Version 2.1.1 (Build 24)
Could it be bleeding snort rules would not work on that one

Any help on this would be much appreciated

------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk
Fully trained technicians. The highest number of Red Hat certifications i
the hosting industry. Fanatical Support. Click to learn mor
http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat164
______________________________________________
Snort-users mailing lis
Snort-***@lists.sourceforge.ne
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?list=snort-user
martin
2006-05-19 21:37:36 UTC
Permalink
I upgraded to latest snort. And I got it to run. However, I am usin
bleedingsnort signatures and I was getting loads of errors until
cleaned them up. This is just a sampling (Are so many errors commo
with bleedingsnort sigs?)

alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 ( sid: 1729; rev
3; msg: "CHAT IRC channel join"; flow: to_server,established; content
"JOIN \: \#"; offset: 0; nocase; classtype: policy-violation
priority: 1;

ERROR: /etc/snort/snort.eth1.conf(212) => bad escape sequence startin
with "\#". Fatal Error, Quitting.

alert tcp [132.232.0.0/16,134.33.0.0/16,138.105.0.0/16,138.252.0.0/16,143.4
9.0.0/16,146.100.0.0/16,147.111.0.0/16,148.3.0.0/16,152.147.0.0/16,159.2.0.
0/16,160.116.0.0/16,163.125.0.0/16,167.175.0.0/16,167.97.0.0/16,170.67.0.0/
16,192.160.44.0/24,192.67.16.0/24,193.1
any -> $HOME_NET any ( sid: 2400000; rev: 20; msg: "BLEEDING-EDGE DRO
Spamhaus DROP Listed Traffic Inbound"; flow: established; reference
url,www.spamhaus.org/drop/drop.lasso; priority: 3; threshold: typ
limit, track by_src, seconds 3600, count 1;

ERROR: /etc/snort/snort.eth1.conf(173) => Unterminated IP Lis

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( sid: 2002866
rev: 1; flow: established,to_server; pcre: "/\d/\d+.jpg/Ui"; content
"Host\: www.winpcap.org"; nocase; content: "User-Agent\: NSISDL"
nocase; uricontent: "/install/banner/"; nocase; reference
url,www.winpcap.org; classtype: policy-violation; priority: 1; (msg
"BLEEDING-EDGE POLICY Winpcap Installation in Progress";

ERROR: Warning: /etc/snort/snort.eth1.conf(1063) => Unknown keyword
(msg' in rule

alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any ( sid: 2001959
rev: 5; msg: "BLEEDING-EDGE VIRUS Hotword Trojan in Transit"; flow
established,from_server; content: "|63 6f 6d 66 69 64 65 6e 74 69 6
6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 2
44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference
url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html
classtype: trojan-activity; priority: 1;

ERROR: /etc/snort/snort.eth1.conf(1140) => getservbyname() failed on "any
Post by martin
This is strange but the problem reappeared. I removed all instances o
"any" in the variables. Now I am getting the following
ERROR: Warning: /etc/snort/snort.eth1.conf(1077) => Unknown keyword
(msg' in rule
Fatal Error, Quitting.
I fixed the rule (seems like it was a bad rule from bleeding snort)
THat went away but now I get
ERROR: /etc/snort/snort.eth1.conf(1148) => getservbyname() failed on "a
ny
Post by martin
Fatal Error, Quitting.
That line is
alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639 ( sid: 2001430
rev: 8; msg: "BLEEDING-EDGE WORM Bofra Victim Accessing Reacto
Page"; flow: from_client,established; content: "GET "; nocase
content: "reactor"; nocase; reference
url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631
reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra
classtype: trojan-activity; priority: 1;
I am thinking that it could be due to my older snort version. Which i
Version 2.1.1 (Build 24)
Could it be bleeding snort rules would not work on that one
Any help on this would be much appreciated
------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk
Fully trained technicians. The highest number of Red Hat certifications i
the hosting industry. Fanatical Support. Click to learn mor
http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat164
______________________________________________
Snort-users mailing lis
Snort-***@lists.sourceforge.ne
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?list=snort-user

Loading...