Hi there is a how to here for setting up snort and base . I did follow it step by step but i get this error : Initializing rule chains... ERROR: (/etc/snort/rules/web-misc.rules)97 => Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent". Fatal Error, Quitting.. i did comment out the relevant lines per the how to but still no luck. Anyone care to help? thanks
line 97 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:7
snort.conf Look first at /etc/snort/snort.conf The most important value is HOME_NET. Everything is based on that. Here's what I have in mine: Code: var HOME_NET [10.0.0.1,10.0.0.2] What do you have for these values? Code: var EXTERNAL_NET var HTTP_SERVERS portvar HTTP_PORTS This is what I have in mine: Code: var EXTERNAL_NET !$HOME_NET var HTTP_SERVERS $HOME_NET portvar HTTP_PORTS [80,81]
Are you using Snort 2.7.0 ? I did some searching and it seems that ver-2.7.0 had that problem. You might try commenting out all the lines in web-misc.rules that cause the problem. Read this: http://www.snort.org/archive-1-4660.html I use Snort 2.8.0.1-1 and it does not have the problem. I see some changelog notes about this: * Change signatures 1443 and 1444 since there was an error in their definition ( Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent". )
That message is normal. Are you running Snort in daemon mode? If not, it will just hang in your terminal until you ctrl-c to stop it. Be sure to run it in daemon mode unless you are debugging.
