Snort mailing list archives

Re: Current Rule Set

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 10 Jun 2002 20:17:09 -0400

I'd wager that you downloaded new rules, but used your old snort.conf withthe new .rules files, and it's complaining about SHELLCODE_PORTS.

The new rules tarball should have a snort.conf in it, with some newvariables in it needed for the shellcode rules. Copy the "varSHELLCODE_PORTS" line from that conf file into your existing snort.conf andyou should be ok.

Remember, the snort.conf is included in the rules tarball for a good reasonand should not be overlooked :) (it isn't there as a decoration).

FAQ maintainer: suggestion, add the "I just downloaded a new ruleset andsnort complains that XXXX is undefined" to the FAQ. Something along thelines of this:

Q: I just downloaded a new ruleset and now snort fails complaining aboutthe rules.

A:

First, make sure you downloaded the right ruleset for your versionof snort. Snort.org generally hosts a ruleset for the released version ofsnort, as well as rules for the development branch and sometimes copies forolder versions of snort. This is generaly the case for "unknown keyword inrule" type errors.If you have the rules that are correct for your version of snortbe aware that the snort rules tarball contains a snort.conf file. From timeto time the snort.conf included with the rules gets changed as new .rulesfiles are added, and new variables are added to support a better ruleset.When downloading new rulesets you should always give the includedsnort.conf a quick look-over to see if new includes or vars have beenadded, or at least be aware you should consult it if things do not work asexpected. This is generally the case if you get messages indicating thatsomething is undefined in a rule.



At 04:49 PM 6/10/2002 -0500, Hall, Duane wrote:

I just loaded the current rule set and am getting rule errors when
loading snort.  Is there any way for snort to tell me which rules are
having errors?  It tells me that there are bad ports.

Duane


**************************
Duane Hall
Security Administrator
Hastings Entertainment, Inc.
806-351-2300 X-3945

54 68 65 72 65 20 69 73 20 6e 6f 74 68 69 6e 67 20 68 65 72 65 2e

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Current Rule Set Hall, Duane (Jun 10)
- Re: Current Rule Set D W (Jun 10)
- Re: Current Rule Set Erek Adams (Jun 10)
- Re: Current Rule Set Matt Kettler (Jun 10)
- Re: Current Rule Set Elinus Liga (Jun 12)
- <Possible follow-ups>
- RE: Current Rule Set McCammon, Keith (Jun 10)