[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Snort erroring out

Posted on 2009-07-05
6
Medium Priority
?
736 Views
Last Modified: 2013-11-29
Getting an error trying to run snort in IDS mode.


Initializing rule chains...
ERROR: Warning: ./rules/web-misc.rules(533) => Unknown keyword ' http_header' in rule!
Fatal Error, Quitting..
bsd#

Any ides?  I just downloaded rules from 5/29/09
0
Comment
Question by:WERAracer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24780296
Hi,

got to that web-misc.rules and edit out line 533 with a  # at the beginning of line 533

please copy the entire string and post here

Jfer
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780338
what is the easiest way to identify line 533?

Thank you
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780398
here is the line

   533 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt"; flow:to_server,established; uricontent:"/OVCgi/Toolbar.exe"; nocase; content:"Cookie"; nocase; http_header; content:"OvOSLocale"; distance:1; http_header; pcre:"/^\s*Cookie\s*\x3a.*?OvOSLocale\s*\x3d\s*[^\x3b\s]{249}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34134; reference:cve,2009-0920; classtype:attempted-user; sid:15434; rev:1;)
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 9

Expert Comment

by:jfer0x01
ID: 24780544
Hi

remove the all the "http_header" from that line of code

http://archives.neohapsis.com/archives/snort/2009-03/0030.html

If that fails,comment out the line

there is a solution from an older post,

http://www.experts-exchange.com/Security/Misc/Q_24481471.html

it mentions to use "build from ports", but i do not understand what that means

Also, make sure to have latest stable release

Jfer

Jfer

0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 2000 total points
ID: 24780547
Finally,

snort has a new rule set

http://dl.snort.org/sub-rules/snortrules-snapshot-CURRENT_s.tar.gz from 1/Jul/09

Perhaps this may be more useful
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780639
thanks. I was having issues with netbios.rules too. I commented out that stuff and now it works. Why are these rules buggy


Thanks
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question