Snort erroring out

Getting an error trying to run snort in IDS mode.


Initializing rule chains...
ERROR: Warning: ./rules/web-misc.rules(533) => Unknown keyword ' http_header' in rule!
Fatal Error, Quitting..
bsd#

Any ides?  I just downloaded rules from 5/29/09
LVL 1
WERAracerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jfer0x01Commented:
Hi,

got to that web-misc.rules and edit out line 533 with a  # at the beginning of line 533

please copy the entire string and post here

Jfer
0
WERAracerAuthor Commented:
what is the easiest way to identify line 533?

Thank you
0
WERAracerAuthor Commented:
here is the line

   533 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt"; flow:to_server,established; uricontent:"/OVCgi/Toolbar.exe"; nocase; content:"Cookie"; nocase; http_header; content:"OvOSLocale"; distance:1; http_header; pcre:"/^\s*Cookie\s*\x3a.*?OvOSLocale\s*\x3d\s*[^\x3b\s]{249}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34134; reference:cve,2009-0920; classtype:attempted-user; sid:15434; rev:1;)
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

jfer0x01Commented:
Hi

remove the all the "http_header" from that line of code

http://archives.neohapsis.com/archives/snort/2009-03/0030.html

If that fails,comment out the line

there is a solution from an older post,

http://www.experts-exchange.com/Security/Misc/Q_24481471.html

it mentions to use "build from ports", but i do not understand what that means

Also, make sure to have latest stable release

Jfer

Jfer

0
jfer0x01Commented:
Finally,

snort has a new rule set

http://dl.snort.org/sub-rules/snortrules-snapshot-CURRENT_s.tar.gz from 1/Jul/09

Perhaps this may be more useful
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WERAracerAuthor Commented:
thanks. I was having issues with netbios.rules too. I commented out that stuff and now it works. Why are these rules buggy


Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.