Solved

Snort erroring out

Posted on 2009-07-05
6
733 Views
Last Modified: 2013-11-29
Getting an error trying to run snort in IDS mode.


Initializing rule chains...
ERROR: Warning: ./rules/web-misc.rules(533) => Unknown keyword ' http_header' in rule!
Fatal Error, Quitting..
bsd#

Any ides?  I just downloaded rules from 5/29/09
0
Comment
Question by:WERAracer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24780296
Hi,

got to that web-misc.rules and edit out line 533 with a  # at the beginning of line 533

please copy the entire string and post here

Jfer
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780338
what is the easiest way to identify line 533?

Thank you
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780398
here is the line

   533 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt"; flow:to_server,established; uricontent:"/OVCgi/Toolbar.exe"; nocase; content:"Cookie"; nocase; http_header; content:"OvOSLocale"; distance:1; http_header; pcre:"/^\s*Cookie\s*\x3a.*?OvOSLocale\s*\x3d\s*[^\x3b\s]{249}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34134; reference:cve,2009-0920; classtype:attempted-user; sid:15434; rev:1;)
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 9

Expert Comment

by:jfer0x01
ID: 24780544
Hi

remove the all the "http_header" from that line of code

http://archives.neohapsis.com/archives/snort/2009-03/0030.html

If that fails,comment out the line

there is a solution from an older post,

http://www.experts-exchange.com/Security/Misc/Q_24481471.html

it mentions to use "build from ports", but i do not understand what that means

Also, make sure to have latest stable release

Jfer

Jfer

0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 500 total points
ID: 24780547
Finally,

snort has a new rule set

http://dl.snort.org/sub-rules/snortrules-snapshot-CURRENT_s.tar.gz from 1/Jul/09

Perhaps this may be more useful
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780639
thanks. I was having issues with netbios.rules too. I commented out that stuff and now it works. Why are these rules buggy


Thanks
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question