I am using snort 2.9.6 and am having trouble getting my rules to run. When I run snort I receive the following error
Initializing rule chains...
ERROR: /etc/snort/rules/(1) Unknown rule type alert
Fatal Error, Quitting..
I have tried copying/using multiple rules from other rules files,etc.. so that they would have the correct syntax, yet none of them seem to be working
Here's an example of a rule I am trying just as a catch all over tcp in order to verify that the rules are being executed
Example: alert tcp any any -> 172.16.136.129 any (msg:"any, any"; sid:1000011;)
Does anyone have any ideas as to what the problem may be?
Thanks for your help
Related
/data/local/tmp/VtsHalBiometricsFaceV1_0TargetTest/VtsHalBiometricsFaceV1_0TargetTest.config[1]: syntax error: unexpected 'newline'
Total Tests : 1
PASSED : 1
FAILED : 0
IMPORTANT: Some modules failed to run to completion, tests counts may be inaccurate.
============== End of Results ==============
Issue : Test case is passing but module is not getting reported as completed.
Issue seen with only Android 11 based VTS suites and works well with older android flavor VTS suites.
Environment of 18.04.2 LTS ubuntu and few modules inspite of passing the test cases it does not report a module pass (only for few modules) and shows it as Done=false in results report.
Logs indicate this kind of errors pointing to various .config files.
Any idea / suggestion what could be issue ?
This was asked again in syntax error: unexpected 'newline' in .config file in android vts and that got an answer that if you've modified the vts-tradefed file, then this error appears.
Additionally I noticed that even chmod changes can cause this problem to appear.
I'm trying to capture SNMP traps using snmptrapd but don't seem to be receiving anything.
I installed snmptrapd and then modified the /etc/snmp/snmptrapd.conf file to have authCommunity log public and started the service with systemctl start snmptrapd.
Upon start my syslog has "unknown snmp version 193" printed to it but nothing else and when I send traps it doesn't seem to output anything or throw an error.
Have I missed something?
Couldn't find a reason for "unknown snmp version 193" but it seems you need to specify an output file as it won't do it by default.
My snmptrapd.conf now looks like:
authCommunity log public
[snmp] logOption f /var/log/snmp
I'm trying to use the Airflow SFTPHook by passing in a ssh_conn_id and I'm getting an error:
No hostkey for host myhostname found.
Using the SFTPOperator with the same ssh_conn_id however is working fine. How can I resolve this error?
Just had this issue, the simple trick is to keep your SSH connector inside airflow and to add the following in the "Extra" field :
{"no_host_key_check": true}
Hope it helps !
Edit : Indeed, it allows the man-in-the-middle attack, so even if it helps temporarily, you should get the ssh fingerprint and allow it
The SFTPOperators uses SSHHook. Hence, you should use SSHHook instead.
I have an R package that sends out a job to the OpenMPI cluster I have running by means of the Rmpi package. All works as expected within an R session run from the console. However, when I try to execute the relevant function with from my OpenCPU server like this (details changed to protect the innocent):
curl -XPOST http://99.999.999.99/ocpu/library/MyPackage/R/my_cluster_function
I get this error:
R call failed: process died.
(Other, non-cluster calling functions within the package work as expected via OpenCPU). I noticed in /var/log/kern.log a variety of requests being DENIED by apparmor, and I have been able to resolve most of them by adding entries into /etc/apparmor.d/opencpu.d/custom to allow OpenMPI to access the files it needs. However, I cannot resolve these two issues (again, IP address changed) related to "open" requests for location "/":
Oct 26 03:49:58 99.999.999.99 kernel: [142952.551234] type=1400 audit(1414295398.849:957): apparmor="DENIED" operation="open" profile="opencpu-main" name="/" pid=22486 comm="orted" requested_mask="r" denied_mask="r" fsuid=33 ouid=0
Oct 26 03:49:58 99.999.999.99 kernel: [142952.556422] type=1400 audit(1414295398.857:958): apparmor="DENIED" operation="open" profile="opencpu-main" name="/" pid=22485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=33 ouid=0
Adding this to my apparmor rules did not help:
/* r,
Two questions:
Why is opencpu trying to read from my root level directory (or does this mean something else)?
More urgently, how can I resolve this apparmor issue?
Thanks.
You might need to add both apparmor rules
/ r,
/* r,
The first rule allows directory listing of / and the second rule allows read access to any file under /.
I don't understand why Rmpi wants to read / or why were you getting process died error instead of access denied. Are you sure the problem is completely resolved?
I do not know if the question is considered to be related to programming, but I'll try anyway. I'm new to the Alienvault OSSIM System.
I'm trying to learn how to make my own rules, but unfortunately I am having some difficulty.
I created a simple rule in the rules file "local.rules" inside of the Snort rules folder.
alert icmp any any <> any any (msg:"simple ping rule."; icode:0; itype:0; classtype:icmp-event; sid:250888; rev:5;)
This rule triggers after an icmp ping from any machine to any machine.
I checked if Snort deals with this rule, and indeed its records appear in the snort log file.
From The searches I've done about this, I realized that after a change in the rules files I must run the script below for the purpose of mapping rules files.
perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/
Then I created the following OSSIM rule in local_rules.xml file:
<group name="local,syslog,">
<rule id="100020" level="2">
<if_sid>250888</if_sid>
<description>it's a new rule that i write myself!!</description>
</rule>
</group>
After a system reboot I sent some pings to the machine, but the rule did not appear as an occurrence in the alert log. And in the OSSIM system error log this appears:
2014/08/06 11:30:59 rules_list: Signature ID '250888' not found. Invalid 'if_sid'.
Can someone explain to me what I am doing wrong?
I'm not familiar with Alienvault OSSIM System, but from a snort standpoint, this is an invalid sid for a local rule. SIDs for local rules must be >= 1,000,000 as these are reserved for rules included with the Snort distribution (See documentation on this here). Perhaps try changing the sid to 1000000 (or 1250888 if you want to keep the 250888 part).
If you create a rule in snort you don't need to create a rule local_rules.xml
after you change the local.rules of snort
any any (msg:"simple ping rule."; icode:0; itype:0; classtype:icmp-event; sid:250888; rev:5;)
and do this command
perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/
go to web interface > configuration > THREAT INTELLIGENCE > Data source > Data source id 1001
In Search input write the sid of your rule (250888) and you will find you're rule