- 论坛徽章:
- 0
|
还是我关心的两个问题,等高手加入,谢谢了!
第一,在启动snort中出现的几个错误,迫使我将/etc/snort/rules/web-misc.rules 注释,否则服务起不来。具体是什么原因?
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1143; rev:7
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:7
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt"; flow:to_server,established; content:"/ComGetLogFile.php3"; distance:0; nocase; pcre:"/fn=\x2e\x2e(\x2f|\x5c)/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-attack; sid:3544; rev:2
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure"; flow:to_server,established; content:"/ComGetLogFile.php3"; nocase; pcre:"fn=Eye\d{4}_\d{2}.log/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-activity; sid:3545; rev:2
出错信息:
[root@localhost ~]# tail -f /var/log/messages
Mar 5 21:34:06 localhost snort[647]: Alert if memcap exceeded DISABLED
Mar 5 21:34:06 localhost snort[647]:
Mar 5 21:34:06 localhost snort[647]: DNS config:
Mar 5 21:34:06 localhost snort[647]: DNS Client rdata txt Overflow Alert: ACTIVE
Mar 5 21:34:06 localhost snort[647]: Obsolete DNS RR Types Alert: INACTIVE
Mar 5 21:34:06 localhost snort[647]: Experimental DNS RR Types Alert: INACTIVE
Mar 5 21:34:06 localhost snort[647]: Ports:
Mar 5 21:34:06 localhost snort[647]: 53
Mar 5 21:34:06 localhost snort[647]:
Mar 5 21:34:07 localhost snort[647]: FATAL ERROR: (/etc/snort/rules/web-misc.rules)97 => Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent".
[root@localhost ~]# tail -f /var/log/messages
Mar 5 21:42:37 localhost snort[707]: Alert if memcap exceeded DISABLED
Mar 5 21:42:37 localhost snort[707]:
Mar 5 21:42:37 localhost snort[707]: DNS config:
Mar 5 21:42:37 localhost snort[707]: DNS Client rdata txt Overflow Alert: ACTIVE
Mar 5 21:42:37 localhost snort[707]: Obsolete DNS RR Types Alert: INACTIVE
Mar 5 21:42:37 localhost snort[707]: Experimental DNS RR Types Alert: INACTIVE
Mar 5 21:42:37 localhost snort[707]: Ports:
Mar 5 21:42:37 localhost snort[707]: 53
Mar 5 21:42:37 localhost snort[707]:
Mar 5 21:42:38 localhost snort[707]: FATAL ERROR: ERROR /etc/snort/rules/web-misc.rules Line 452 => unable to parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi
第二,snort这个东西具体使用方法是怎样的? |
|