Solved

Snort erroring out

Posted on 2009-07-05
6
730 Views
Last Modified: 2013-11-29
Getting an error trying to run snort in IDS mode.


Initializing rule chains...
ERROR: Warning: ./rules/web-misc.rules(533) => Unknown keyword ' http_header' in rule!
Fatal Error, Quitting..
bsd#

Any ides?  I just downloaded rules from 5/29/09
0
Comment
Question by:WERAracer
  • 3
  • 3
6 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24780296
Hi,

got to that web-misc.rules and edit out line 533 with a  # at the beginning of line 533

please copy the entire string and post here

Jfer
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780338
what is the easiest way to identify line 533?

Thank you
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780398
here is the line

   533 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt"; flow:to_server,established; uricontent:"/OVCgi/Toolbar.exe"; nocase; content:"Cookie"; nocase; http_header; content:"OvOSLocale"; distance:1; http_header; pcre:"/^\s*Cookie\s*\x3a.*?OvOSLocale\s*\x3d\s*[^\x3b\s]{249}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34134; reference:cve,2009-0920; classtype:attempted-user; sid:15434; rev:1;)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 9

Expert Comment

by:jfer0x01
ID: 24780544
Hi

remove the all the "http_header" from that line of code

http://archives.neohapsis.com/archives/snort/2009-03/0030.html

If that fails,comment out the line

there is a solution from an older post,

http://www.experts-exchange.com/Security/Misc/Q_24481471.html

it mentions to use "build from ports", but i do not understand what that means

Also, make sure to have latest stable release

Jfer

Jfer

0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 500 total points
ID: 24780547
Finally,

snort has a new rule set

http://dl.snort.org/sub-rules/snortrules-snapshot-CURRENT_s.tar.gz from 1/Jul/09

Perhaps this may be more useful
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780639
thanks. I was having issues with netbios.rules too. I commented out that stuff and now it works. Why are these rules buggy


Thanks
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now