Solved

Snort erroring out

Posted on 2009-07-05
6
732 Views
Last Modified: 2013-11-29
Getting an error trying to run snort in IDS mode.


Initializing rule chains...
ERROR: Warning: ./rules/web-misc.rules(533) => Unknown keyword ' http_header' in rule!
Fatal Error, Quitting..
bsd#

Any ides?  I just downloaded rules from 5/29/09
0
Comment
Question by:WERAracer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24780296
Hi,

got to that web-misc.rules and edit out line 533 with a  # at the beginning of line 533

please copy the entire string and post here

Jfer
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780338
what is the easiest way to identify line 533?

Thank you
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780398
here is the line

   533 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt"; flow:to_server,established; uricontent:"/OVCgi/Toolbar.exe"; nocase; content:"Cookie"; nocase; http_header; content:"OvOSLocale"; distance:1; http_header; pcre:"/^\s*Cookie\s*\x3a.*?OvOSLocale\s*\x3d\s*[^\x3b\s]{249}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34134; reference:cve,2009-0920; classtype:attempted-user; sid:15434; rev:1;)
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 9

Expert Comment

by:jfer0x01
ID: 24780544
Hi

remove the all the "http_header" from that line of code

http://archives.neohapsis.com/archives/snort/2009-03/0030.html

If that fails,comment out the line

there is a solution from an older post,

http://www.experts-exchange.com/Security/Misc/Q_24481471.html

it mentions to use "build from ports", but i do not understand what that means

Also, make sure to have latest stable release

Jfer

Jfer

0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 500 total points
ID: 24780547
Finally,

snort has a new rule set

http://dl.snort.org/sub-rules/snortrules-snapshot-CURRENT_s.tar.gz from 1/Jul/09

Perhaps this may be more useful
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24780639
thanks. I was having issues with netbios.rules too. I commented out that stuff and now it works. Why are these rules buggy


Thanks
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question