[Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'.
Rob Sly
slyguy2000 at hotmail.com
Wed Oct 7 11:47:09 EDT 2009
You need to download the patch file from
http://www.snortsam.net/download.html for the specific version of snort that
you are using, and patch the sourcecode for snort, to add in snortsam. Then
you need to configure and compile, and you should be able to get it working.
Post back on your success or if you need further help.
--------------------------------------------------
From: "Wouter de Jong" <maddog2k at maddog2k.net>
Sent: Wednesday, October 07, 2009 9:26 AM
To: <snortsam-discussion at snortsam.net>
Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule
option:'fwsam'.
> Hi,
>
> I can't get Snort 2.8.5 (patched with the Snortsam patch) to work ...
> As soon as I want to load a test-rule like this :
>
> alert icmp any any -> $HOME_NET any (msg:"ICMP test"; dsize:>1400;
> sid:1000001; fwsam: src, 20 minutes;)
>
> I get the following :
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> ERROR: /etc/snort/rules/local.rules(7) Unknown rule option: 'fwsam'.
> Fatal Error, Quitting..
>
> Snort does have Snortsam compiled in, because a 'string /usr/sbin/snort |
> grep -i fwsam' reveals lines like :
>
> ERROR => [Alert_FWsam](FWsamCheckOut) Funky socket error (socket)!
> ERROR => [Alert_FWsam](FWsamCheckOut) Could not bind socket!
> INFO => [Alert_FWsam](FWsamCheckOut) Disconnecting from host %s.
> INFO => [Alert_FWsam](FWsamCheckOut) Had to use initial key!
>
> etc, etc.
>
> Am I missing something here ?
>
> Best regards,
>
> Wouter de Jong
>
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
More information about the Snortsam-discussion
mailing list