Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] FATAL ERROR - FATAL ERROR: Unknown rule option: 'disable'.

632 views
Skip to first unread message

Matthew White

unread,
May 25, 2016, 9:01:13 PM5/25/16
to
After modifying my pulledpork.conf file I now get the following.

FATAL ERROR: /etc/snort/rules/snort.rules(9844) Unknown rule option: 'disable'.

Not seeing this in forums. Any ideas?

Matthew White

unread,
May 25, 2016, 9:24:19 PM5/25/16
to
Found it. Pulled Pork wrote a couple rules Snort didn't like. Just commented them out.

Joel Esler (jesler)

unread,
May 25, 2016, 9:24:21 PM5/25/16
to
What does line 9844 of the snort.rules file say?

"vi +9844 snort.rules”

will take you right to it.

--
Joel Esler
Manager, Talos Group




On May 25, 2016, at 8:59 PM, Matthew White <on3...@gmail.com> wrote:

After modifying my pulledpork.conf file I now get the following.

FATAL ERROR: /etc/snort/rules/snort.rules(9844) Unknown rule option: 'disable'.

Not seeing this in forums. Any ideas?
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

signature.asc

Matthew White

unread,
May 26, 2016, 10:46:23 AM5/26/16
to
FYI rules from pulledpork breaking snort. Commented them out.

9844 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; content:" Java/1.5."; nocase; h        ttp_header; disable:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:ba        d-unknown; sid:2011581; rev:9;)

10007 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:" Java/1.7.0_"; http_he        ader; content:!"99"; within:2; http_header; disable:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javateste        r.org/version.html; reference:url,java.com/en/download/manual_java7.jsp; classtype:bad-unknown; sid:2014297; rev:41;)

Shirkdog

unread,
May 26, 2016, 10:57:27 AM5/26/16
to

Is this the output from your snort.rules? There are extra spaces in those rules that should not be there, and disable: is not a valid rule option. Are you trying to disable/modify these signatures with pulledpork?

James Lay

unread,
May 26, 2016, 11:07:39 AM5/26/16
to
So this looks like the numbers 9844 and 10007 have been prepended to the
rule, which will blow up. Matthew, if you're wanting to not used these
rules with pulled pork your disablesid.conf should look like this:

1:2011581,1:2014297

If you have anything besides "alert", "block" or "#" at the start of any
snort rules in your snort.rules files snort will most likely not start/

James

On 2016-05-26 08:55, Shirkdog wrote:
> Is this the output from your snort.rules? There are extra spaces in
> those rules that should not be there, and disable: is not a valid rule
> option. Are you trying to disable/modify these signatures with
> pulledpork?
>
> On May 26, 2016 10:46 AM, "Matthew White" <on3...@gmail.com> wrote:
>
>> FYI rules from pulledpork breaking snort. Commented them out.
>>
>> 9844 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> POLICY Vulnerable Java Version 1.5.x Detected";
>> flow:established,to_server; content:" Java/1.5."; nocase; h
>> ttp_header; disable:set,ET.http.javaclient.vulnerable; threshold:
>> type limit, count 2, seconds 300, track by_src;

>> reference:url,javatester.org/version.html [1]; classtype:ba


>> d-unknown; sid:2011581; rev:9;)
>>
>> 10007 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> POLICY Vulnerable Java Version 1.7.x Detected";
>> flow:established,to_server; content:" Java/1.7.0_"; http_he
>> ader; content:!"99"; within:2; http_header;
>> disable:set,ET.http.javaclient.vulnerable; threshold: type limit,
>> count 2, seconds 300, track by_src; reference:url,javateste

>> r.org/version.html [2];
>> reference:url,java.com/en/download/manual_java7.jsp [3];


>> classtype:bad-unknown; sid:2014297; rev:41;)
>>
>> On Wed, May 25, 2016 at 8:23 PM, Joel Esler (jesler)
>> <jes...@cisco.com> wrote:
>>
>> What does line 9844 of the snort.rules file say?
>>
>> "vi +9844 snort.rules”
>>
>> will take you right to it.
>>
>> --

>> JOEL ESLER

> Links:
> ------
> [1] http://javatester.org/version.html
> [2] http://r.org/version.html
> [3] http://java.com/en/download/manual_java7.jsp

0 new messages