Snort mailing list archives
Re: Invalid rules
From: Mike_Sands () elementk com
Date: Mon, 4 Mar 2002 11:28:31 -0500
I think that you may be experiencing a similar issue that I am having. I have manually imported the new ruleset and attempted to restart snort/demarc. I get an error stating RROR ./snorteth1.conf.tst(1629) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1630) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1631) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1632) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1633) => Bad Priority setting "attempted-user" ERROR ./snorteth1.conf.tst(1634) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1635) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1636) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1637) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1638) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1639) => Bad Priority setting "attempted-user" ERROR ./snorteth1.conf.tst(1640) => Bad Priority setting "attempted-user" ERROR ./snorteth1.conf.tst(1641) => Bad Priority setting "misc-activity" ERROR ./snorteth1.conf.tst(1642) => Bad Priority setting "attempted-dos" ERROR ./snorteth1.conf.tst(1643) => Bad Priority setting "attempted-user" ERROR ./snorteth1.conf.tst(1644) => Bad Priority setting "attempted-user" ERROR ./snorteth1.conf.tst(1645) => Bad Priority setting "attempted-dos" ERROR ./snorteth1.conf.tst(1646) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1647) => Bad Priority setting "attempted-admin" ERROR ./snorteth1.conf.tst(1648) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1649) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1650) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1651) => Bad Priority setting "attempted-admin" ERROR ./snorteth1.conf.tst(1652) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1653) => Bad Priority setting "attempted-admin" ERROR ./snorteth1.conf.tst(1654) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1655) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1656) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1657) => Bad Priority setting "web-application-attack" ERROR ./snorteth1.conf.tst(1658) => Bad Priority setting "web-application-activity" ERROR ./snorteth1.conf.tst(1660) => Bad Priority setting "web-application-attack" ERROR ./snorteth1.conf.tst(1661) => Bad Priority setting "web-application-attack" ERROR ./snorteth1.conf.tst(1662) => Bad Priority setting "web-application-attack" ERROR ./snorteth1.conf.tst(1673) => Bad Priority setting "bad-unknown" ERROR ./snorteth1.conf.tst(1674) => Bad Priority setting "unknown" ERROR ./snorteth1.conf.tst(1675) => Bad Priority setting "unknown" the syntax of the rules look fine and the classification.config file is there but snort just won't take the new ruleset. Mike Sands Security / Network Engineer Office: (585) 214-1936 Fax: (585) 295-7162 Cell: 716-303-3245 Element K 'the knowledge catalyst' www.elementk.com |--------+---------------------------------------> | | "Fontenot, Paul" | | | <Paul.Fontenot@bannerhealth.c| | | om> | | | Sent by: | | | snort-users-admin@lists.sourc| | | eforge.net | | | | | | | | | 02/27/2002 04:42 PM | | | | |--------+---------------------------------------> >------------------------------------------------------------------------------------------------------------| | | | To: "Snort (E-mail)" <snort-users () lists sourceforge net> | | cc: | | | | Subject: [Snort-users] Invalid rules | >------------------------------------------------------------------------------------------------------------| I am evaluating Demarc and have set it to auto_update. This snort sensor was started up about 20 minutes ago with the auto_update set to 5 minutes. I have gotten this below since i started running demarc. has anyone seen this problem? -Paul Updating local rules Fetching current snort.conf Adding 1-classifications to current_ruleset Adding ATTACK RESPONSES to current_ruleset Adding BACKDOOR RULES to current_ruleset Adding BAD TRAFFIC RULES to current_ruleset Adding DDOS RULES to current_ruleset Adding DNS RULES to current_ruleset Adding DOS RULES to current_ruleset Adding EXPERIMENTAL RULES to current_ruleset Adding EXPLOIT RULES to current_ruleset Adding FINGER RULES to current_ruleset Adding FTP RULES to current_ruleset Adding ICMP RULES to current_ruleset Adding INFO RULES to current_ruleset Adding LOCAL RULES to current_ruleset Adding MISC RULES to current_ruleset Adding NETBIOS RULES to current_ruleset Adding POLICY RULES to current_ruleset Adding PORN RULES to current_ruleset Adding RPC RULES to current_ruleset Adding RSERVICES RULES to current_ruleset Adding SCAN RULES to current_ruleset Adding SHELLCODE RULES to current_ruleset Adding SMTP RULES to current_ruleset Adding SQL RULES to current_ruleset Adding TELNET RULES to current_ruleset Adding TFTP RULES to current_ruleset Adding VIRUS RULES to current_ruleset Adding WEB ATTACKS to current_ruleset Adding WEB-CGI RULES to current_ruleset Adding WEB-COLDFUSION RULES to current_ruleset Adding WEB-FRONTPAGE RULES to current_ruleset Adding WEB-IIS RULES to current_ruleset Adding WEB-MISC RULES to current_ruleset Adding X11 RULES to current_ruleset Appears to be an invalid ruleset / snort.conf RULES INVALID... NOT UPDATING CURRENT RUNNING CONFIG/RULESET! _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Invalid rules Fontenot, Paul (Feb 27)
- <Possible follow-ups>
- Re: Invalid rules Mike_Sands (Mar 04)
- Re: Invalid rules Matt Kettler (Mar 04)