Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Re: getservbyname() failed on "any" when pushing snort con

from [martin] Network Security [Permanent Link]
Subject: [Snort-users] Re: getservbyname() failed on "any" when pushing snort conf
Date: Fri, 19 May 2006 17:37:36 -0400 
I upgraded to latest snort. And I got it to run. However, I am using
bleedingsnort signatures and I was getting loads of errors until I
cleaned them up. This is just a sampling (Are so many errors common
with bleedingsnort sigs?):

alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 ( sid: 1729; rev:
3; msg: "CHAT IRC channel join"; flow: to_server,established; content:
"JOIN \: \#"; offset: 0; nocase; classtype: policy-violation;
priority: 1;)

ERROR: /etc/snort/snort.eth1.conf(212) => bad escape sequence starting
with "\#". Fatal Error, Quitting..


alert tcp 
[132.232.0.0/16,134.33.0.0/16,138.105.0.0/16,138.252.0.0/16,143.49.0.0/16,146.100.0.0/16,147.111.0.0/16,148.3.0.0/16,152.147.0.0/16,159.2.0.0/16,160.116.0.0/16,163.125.0.0/16,167.175.0.0/16,167.97.0.0/16,170.67.0.0/16,192.160.44.0/24,192.67.16.0/24,193.11
any -> $HOME_NET any ( sid: 2400000; rev: 20; msg: "BLEEDING-EDGE DROP
Spamhaus DROP Listed Traffic Inbound"; flow: established; reference:
url,www.spamhaus.org/drop/drop.lasso; priority: 3;  threshold:  type
limit, track by_src, seconds 3600, count 1;)

ERROR: /etc/snort/snort.eth1.conf(173) => Unterminated IP List


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( sid: 2002866;
rev: 1; flow: established,to_server; pcre: "/\d/\d+.jpg/Ui"; content:
"Host\: www.winpcap.org"; nocase; content: "User-Agent\: NSISDL";
nocase; uricontent: "/install/banner/"; nocase; reference:
url,www.winpcap.org; classtype:  policy-violation; priority: 1;  (msg:
"BLEEDING-EDGE POLICY Winpcap Installation in Progress";)

ERROR: Warning: /etc/snort/snort.eth1.conf(1063) => Unknown keyword '
(msg' in rule!

alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any ( sid: 2001959;
rev: 5; msg:  "BLEEDING-EDGE VIRUS Hotword Trojan in Transit"; flow:
established,from_server; content: "|63 6f 6d 66 69 64 65 6e 74 69 61
6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20
44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:
url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
classtype:  trojan-activity; priority: 1;)

ERROR: /etc/snort/snort.eth1.conf(1140) => getservbyname() failed on "any"




On 5/19/06, martin <martin3@gmail.com> wrote: 
This is strange but the problem reappeared. I removed all instances of
"any" in the variables. Now I am getting the following:

ERROR: Warning: /etc/snort/snort.eth1.conf(1077) => Unknown keyword '
(msg' in rule!
Fatal Error, Quitting..

I fixed the rule (seems like it was a bad rule from bleeding snort).
THat went away but now I get:

ERROR: /etc/snort/snort.eth1.conf(1148) => getservbyname() failed on "any"
Fatal Error, Quitting..

That line is:
alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639 ( sid: 2001430;
rev: 8; msg:  "BLEEDING-EDGE WORM Bofra Victim Accessing Reactor
Page"; flow:  from_client,established; content: "GET "; nocase;
content: "reactor"; nocase; reference:
url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
reference: 
url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html;
classtype:  trojan-activity; priority: 1;)

I am thinking that it could be due to my older snort version. Which is
Version 2.1.1 (Build 24).
Could it be bleeding snort rules would not work on that one?

Any help on this would be much appreciated.



-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] getservbyname() failed on "any" when pushing snort conf, martin
Next by Date:  [Snort-users] RE: [Snort-devel] portscan events not showing up in base, Eric Lauzon
Previous by Thread:  [Snort-users] getservbyname() failed on "any" when pushing snort conf, martin
Next by Thread:  [Snort-users] RE: [Snort-devel] portscan events not showing up in base, Eric Lauzon
Indexes:  [Date] [Thread] [Top] [All Lists]