Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] snort.conf issues
615 views
Skip to first unread message
eric
Dec 24, 2012, 10:49:13 PM12/24/12
to
I am having a problem when testing my snort configuration file. I have Snort set up on a Vista(32bit) system following the install guide. I have set all the variables correctly as far as network and path to rules and so on. When I run the test command (snort -d -l C:\snort\log -c C:\Snort\etc\snort.conf -i 3 -T ) it seems to do well untill after checking the blacklist.rules file. After which I get the following lines in my terminal:
(464) => Invalid IP Address: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTT
P_PORTS (msg:"BLACKLIST URI request for known malicious URI - .sys.php?getexe=";
flow:established,to_server; content:".sys.php?getexe="; nocase; http_uri; metad
ata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service
http; reference:url,www.virustotal.com/file-scan/report.html?id=ba84f21b6f1879c
2d6ce7c600cfb077cee4a172c8e0711e4ce67b32d1b315e82-1310972138; classtype:trojan-a
ctivity; sid:19625; rev:1;)
(466) => Invalid IP Address: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTT
P_PORTS (msg:"BLACKLIST URI request for known malicious URI - /VertexNet/adduser
.php?uid="; flow:established,to_server; content:"/VertexNet/adduser.php?uid=|7B|
"; nocase; http_uri; content:"cmpname="; nocase; http_uri; pcre:"/\/VertexNet\/a
dduser\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/Ui"; metadata:impact
_flag red, policy balanced-ips drop, policy security-ips drop, service http; ref
erence:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd
2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; s
id:19632; rev:1;)
Additional address is invalid but not printed.
Reputation entries loaded: 0, invalid: 92, re-defined: 0 (from file C:\Snor
t\rules\rules\blacklist.rules)
ERROR: c:\snort\etc\snort.conf(533) => Invalid argument: include
Fatal Error, Quitting..
Could not set the event message file.
P_PORTS (msg:"BLACKLIST URI request for known malicious URI - .sys.php?getexe=";
flow:established,to_server; content:".sys.php?getexe="; nocase; http_uri; metad
ata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service
http; reference:url,www.virustotal.com/file-scan/report.html?id=ba84f21b6f1879c
2d6ce7c600cfb077cee4a172c8e0711e4ce67b32d1b315e82-1310972138; classtype:trojan-a
ctivity; sid:19625; rev:1;)
(466) => Invalid IP Address: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTT
P_PORTS (msg:"BLACKLIST URI request for known malicious URI - /VertexNet/adduser
.php?uid="; flow:established,to_server; content:"/VertexNet/adduser.php?uid=|7B|
"; nocase; http_uri; content:"cmpname="; nocase; http_uri; pcre:"/\/VertexNet\/a
dduser\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/Ui"; metadata:impact
_flag red, policy balanced-ips drop, policy security-ips drop, service http; ref
erence:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd
2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; s
id:19632; rev:1;)
Additional address is invalid but not printed.
Reputation entries loaded: 0, invalid: 92, re-defined: 0 (from file C:\Snor
t\rules\rules\blacklist.rules)
ERROR: c:\snort\etc\snort.conf(533) => Invalid argument: include
Fatal Error, Quitting..
Could not set the event message file.
I have included the last two entries the test displayed plus the error message. If anyone can give me an idea of what is going on it would be greatly appreciated.
Thank you,
Eric T.
waldo kitty
Dec 25, 2012, 3:18:09 PM12/25/12
to
On 12/24/2012 22:49, eric wrote:
> I am having a problem when testing my snort configuration file. I have Snort set
> up on a Vista(32bit) system following the install guide. I have set all the
> variables correctly as far as network and path to rules and so on. When I run
> the test command (snort -d -l C:\snort\log -c C:\Snort\etc\snort.conf -i 3 -T )
> it seems to do well untill after checking the blacklist.rules file. After which
> I get the following lines in my terminal:
what do you have HOME_NET and EXTERNAL_NET set to??
> I am having a problem when testing my snort configuration file. I have Snort set
> up on a Vista(32bit) system following the install guide. I have set all the
> variables correctly as far as network and path to rules and so on. When I run
> the test command (snort -d -l C:\snort\log -c C:\Snort\etc\snort.conf -i 3 -T )
> it seems to do well untill after checking the blacklist.rules file. After which
> I get the following lines in my terminal:
> ERROR: c:\snort\etc\snort.conf(533) => Invalid argument: include
included...
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
eric
Dec 25, 2012, 4:17:45 PM12/25/12
to
Thanks for the reply, I currently have HOME_NET set to 192.168.1.0/24 and my EXTERNAL_NET is set to $HOME_NET..
I have also tried setting home net to .2.0/24 as I am the admin for two home networks. One is a Belkin and the other a Netgear. My test of the configuration file has shown a few issues that I was able to overcome with my own knowledge and simply reading the configuration file instructions. I have also looked over all the readme files and have seen nothing pertaining to my issue. This has me stumped. I have read many how-to's and such and found that for a basic install without the need for logging to a database, all I needed was pcap and snort. Thank you for your help.
eric
Dec 26, 2012, 1:46:22 PM12/26/12
to
0 new messages