Snort and Backdoor Rules not working



  • Ruleset was updated yesterday and I noticed Snort wasnt blocking spyware from newegg.com anymore, looked in the logs and confirmed snort showed up as not starting successfully, promiscuous mode disabled, and some other complaint about backdoor rules

    Sep-13-2007.5:17:18 PM.Daemon.Error.10.33.40.1.UDP.Sep 13 17:17:21 snort[4709]: FATAL ERROR: Unable to open rules file: /usr/local/etc/snort/rules/backdoor.rules or /usr/local/etc/snort//usr/local/etc/snort/rules/backdoor.rules….............

    Unchecked this rule and snort is working again, can anyone else confirm this.

    Using ac performance method with 2 gigs of RAM/full install on white box



  • Ok, tracked it all down to Backdoor rules, Netbios, and Misc. rules.  These 3 categories are not allowing Snort to initialize.  Are any of these 3 problematic for anyone else or is it something within my own setup that causes this?

    I have all other rules enabled and snort is successfully working, alerting and blocking.

    Latest snort update 9/11/07



  • Have had the issue with only the Netbios rules myself. As soon as I check it and save snort crashes and won't restart.



  • the following rules are not working here:

    pfsense in ac mode

    backdoor
    content-replace
    misc
    netbios
    web-php

    in lowmem mode snort works fine

    regards

    cc



  • I got Netbios to work if I disable Exploit and Chat.  Rule Categories are so finicky with Snort.

    Just noticed too that the recent update 11/6/07 doesnt  reflect my own ruleset when i compare it to the changelog.  For example SPYWARE-PUT Adware adblaster 2.0 runtime detection is not listed in the Deleted category.  According to the 11/6 changelog this rule was moved to Deleted but my ruleset still shows the rule in Spyware-Put.  I am a Premium member and I'm referring to the 2.6 changelog.

    http://www.snort.org/vrt/docs/ruleset_changelogs/2_6/changes-2007-11-06.html



  • sql rules also are a problem…

    in lowmem mode it works fine without sql...


Log in to reply