Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Lloyd Keen on June 15, 2003, 03:26:43 PM
-
I'm getting the following errors in my log files.
Warning: /etc/snort/.//rpc.rules(16) => Unknown keyword 'byte_jump' in rule! A search seems to indicate that the rules being downloaded aren't compatible with snort 1.9 and that I need to upgrade to v2.0. Is anybody getting the same errors?
-
Im getting the same errors.
I tried upgrading to 2.0 without a rpm,
But didnt succeed.
I hope someone writes a e-smith compatible rpm for 2.0.
Dirk Jullens
-
I just installed snort with ACID via the howto here:
http://marari.net/downloads/snort/acid-howto.htm
And it works fine other than my messages file filling up with the same lines as stated by Lloyd and Dirk, is everyone using snort get these error's?
snort-mysql: Warning: /etc/snort/.//rpc.rules(16) => Unknown keyword 'byte_jump' in rule!
last message repeated 3 times
snort-mysql: Warning: /etc/snort/.//rpc.rules(16) => Unknown keyword 'byte_test' in rule!
snort-mysql: Warning: /etc/snort/.//netbios.rules(23) => Unknown keyword 'byte_test' in rule!
snort-mysql: Warning: /etc/snort/.//netbios.rules(23) => Unknown keyword 'byte_jump' in rule!
snort-mysql: Warning: /etc/snort/.//misc.rules(42) => Unknown keyword 'byte_test' in rule!
snort-mysql: Warning: /etc/snort/.//attack-responses.rules(20) => Unknown keyword 'byte_test' in rule!
snort-mysql: Warning: /etc/snort/.//imap.rules(8) => Unknown keyword 'byte_test' in rule!
snort-mysql: Warning: /etc/snort/.//pop3.rules(8) => Unknown keyword 'byte_test' in rule!
I have hundreds of these lines in my messages files :-(
Ari, are you going to update your howto to use snort v2?
Has anyone else found a solution to this problem?
Cyrus Bharda
-
Thanks for bringing this to my attention, Cyrus. I hadn't even noticed my system was doing this, too.
Which snort rpm's are you guys using?
I was running snort-1.9.0-1. I just upgraded the snort rpm's to 1.9.1-1 and restarted the snortd service... all seems to be well.
Get the snort-1.9.1-1snort.i386.rpm and snort-mysql-1.9.1-1snort.i386.rpm with wget from http://www.snort.org/dl/do_not_use/binaries/1.9.1/linux/
Then "rpm -Uvh snort-*.rpm", then "service snortd restart" and check your log file (tail /var/log/messages).
Last big of my log file looks like this:
Jun 24 17:02:51 LC-Server snort-mysql: Ports to decode telnet on: 21 23 25 119
Jun 24 17:02:51 LC-Server snort-mysql: Conversation Config:
Jun 24 17:02:51 LC-Server snort-mysql: KeepStats: 0
Jun 24 17:02:51 LC-Server snort-mysql: Conv Count: 32000
Jun 24 17:02:51 LC-Server snort-mysql: Timeout : 60
Jun 24 17:02:51 LC-Server snort-mysql: Alert Odd?: 0
Jun 24 17:02:51 LC-Server snort-mysql: Allowed IP Protocols:
Jun 24 17:02:51 LC-Server snort-mysql: All
Jun 24 17:02:51 LC-Server snort-mysql:
Jun 24 17:02:52 LC-Server snort-mysql: Snort initialization completed successfully, Snort running
Looks like the current (2.0) rpms haven't been created yet, at least this directory seems to be empty. http://www.snort.org/dl/binaries/linux/
Let me know if there are any questions.
-
Thanks Abe, I'll give that a go. (I was using 1.9.0)
-
Abe,
Thanks for that, do you have a contact email for Ari, so he can update the Howto?
Thanks again!!
Cyrus Bharda
-
Abe,
Bad news, the messages stopped, but they are back now, is it safe to just update to v2 rpm's when they get realeased?
Cyrus Bharda
-
Hey Guys,
Just curious if any of you know what the status is with running Snort V2, and if there are changes to the documentation and procedures? I went to Ari's web site but don't know how to contact him.
The Snort site says 'do not use' the old 1.9 versions, but will they work still and if so are they accurate, etc.
Thanks,
Drew
-
any word on rpm's for 2.0 im getting tied of all this stuff, in my log files
-
Well, I've been waiting for something to appear here:
http://www.snort.org/dl/binaries/linux/
But, it's still empty. I guess somebody needs to setup a RH 7.3 box and get it compiled and turn it into an rpm that we can use on SME.
I'll try to work on it a little, but I've got a couple other projects on my plate right now. Anyone else interested?
-
I just noticed that the latest snort rpms were posted yesterday (Sep. 24, 2003).
Somebody needs to do some testing.
Get snort-mysql and snort from here:
http://www.snort.org/dl/binaries/linux/
And, sme-acid and guardian from here:
http://marari.net/downloads/snort/acid-howto.htm
Again... try this on a test server first. I have no idea if it'll work. :)
-
Anyone tested them yet?
I do not have a test box, and want to go the gung ho approach and test them on my production 5.6 server :->. Just wondering if anyone else has already done it for me?
Cyrus Bharda
-
I've heard from 2 people, both are experiencing good results. I still haven't had a chance to get the text box out yet, myself.
If you're upgrading from the previous version, the only thing is that you'll want to remove the snort-mysql and snort rpm's, then manually delete the database... either through phpmyadmin, or however you normally interact with your mysql server.
If you just do a straight upgrade of the rpms, I'm told it complains about the database already existing.
-
Abe,
Hmmm well uninstalled old snort and installed 2.0 and this is what appears in my messages log:
Oct 15 15:08:42 Tyr snort-mysql: OpenPcap() device eth1 network lookup: ^Ieth1: no IPv4 address assigned
Oct 15 15:08:42 Tyr snort-mysql: Initializing daemon mode
Oct 15 15:08:42 Tyr snort-mysql: PID path stat checked out ok, PID path set to /var/run/
Oct 15 15:08:42 Tyr snort-mysql: Writing PID "15244" to file "/var/run//snort_eth1.pid"
Oct 15 15:08:42 Tyr snort-mysql: http_decode arguments:
Oct 15 15:08:42 Tyr snort-mysql: Unicode decoding
Oct 15 15:08:42 Tyr snort-mysql: IIS alternate Unicode decoding
Oct 15 15:08:42 Tyr snort-mysql: IIS double encoding vuln
Oct 15 15:08:42 Tyr snort-mysql: Flip backslash to slash
Oct 15 15:08:42 Tyr snort-mysql: Include additional whitespace separators
Oct 15 15:08:42 Tyr snort-mysql: Ports to decode http on: 80
Oct 15 15:08:42 Tyr snort-mysql: rpc_decode arguments:
Oct 15 15:08:42 Tyr snortd: snort-mysql startup succeeded
Oct 15 15:08:42 Tyr snort-mysql: Ports to decode RPC on: 111 32771
Oct 15 15:08:42 Tyr snort-mysql: alert_fragments: INACTIVE
Oct 15 15:08:42 Tyr snort-mysql: alert_large_fragments: ACTIVE
Oct 15 15:08:42 Tyr snort-mysql: alert_incomplete: ACTIVE
Oct 15 15:08:42 Tyr snort-mysql: alert_multiple_requests: ACTIVE
Oct 15 15:08:42 Tyr snort-mysql: telnet_decode arguments:
Oct 15 15:08:42 Tyr snort-mysql: Ports to decode telnet on: 21 23 25 119
Oct 15 15:08:42 Tyr snort-mysql: FATAL ERROR: unknown preprocessor "asn1_decode"
Got any clues?
Cyrus Bharda
-
I have it working on 5.6, but there are some configuration changes to make.
I started by uninstalling everything from the old version. I then installed snort-2.0.2-5.i386.rpm and snort-mysql-2.0.2-5.i386.rpm. I then made a copy of snort.conf and then installed sme-acid-2.0.0-1ari.noarch.rpm
I replaced the snort.conf that sme-acid installed with the copy that I made. I then went through the snort.conf and changed what needed to be changed. I copied the var HOME_NET, var EXTERNAL_NET and output database: lines from the template fragment in /etc/e-smith/templates/etc/snort/snort.conf. I had to add dbname=snort_log between mysql, and user. Snort also adds a file, /etc/sysconfig/snort that needs to be modified to fit your system. I then deleted /etc/e-smith/templates/etc/snort so my snort.conf doesn't get overwritten before I have time to create new templates.
I got it to work on mine, but no guarantees... :)
-
I followed your explanation and it worked, but had to re installed and can't have it working anymore. Everytime I start snortd it tells me snort-mysql is stopped... any idea what I could have forgotten..
Thanks for your help
Jean-François