Snort mailing list archives
Re: New rules keyword error
From: "Marc Quibell" <mquibell () fbfs com>
Date: Wed, 22 Oct 2003 15:08:38 -0500
Er...What? Auto-updates are only bad if you screw them up, no? Now why were they screwed up? Are you saying that the old nomenclature for "CVS Stable" no longer applies to snort 2.0.x? Snort is no good w/o auto-updates..no time to babysit processes. Marc On Wed, 22 Oct 2003, Marc Quibell wrote:
Automatically downloaded new rules last night, as is every night, got errors in syslog: Unknown keyword 'isdataat' Unknown keyword 'pcre' in a few of the new rule files (exploit, ftp, imap, pop2, pop3, nnmp, smtp, misc). What are these keywords? Typos? Or did something (version) change? THX!
EREK ADAMS WROTE:
<Mr.MackeyVoice> See Kids? Auto updates are bad, M'kay. </Mr.MackeyVoice> The new CVS version makes use of those new keywords. Due to a little bit of b0rkage, the -STABLE CVS tag had it's rules changed. Simple fix: Restore your rules from the backup. You do have a backup don't you? :) Note to everyone who auto-updates rules: What has happened is a prime example on why auto-updates are not a 100% good thing. Your best bet is to have all of your local sensors update from a master server that you manually update the rules on. That eases administration, while at the same time allows for human control and interaction. Cheers! ----- Erek Adams "When things get weird, the weird t ------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New rules keyword error Marc Quibell (Oct 22)
- Re: New rules keyword error Erek Adams (Oct 22)
- <Possible follow-ups>
- Re: New rules keyword error Marc Quibell (Oct 22)
- Re: New rules keyword error Erek Adams (Oct 22)
- Re: New rules keyword error Marc Quibell (Oct 22)
- Re: New rules keyword error Marc Quibell (Oct 23)
- Re: New rules keyword error Frank Knobbe (Oct 23)
- Re: New rules keyword error Josh Berry (Oct 28)
- Re: New rules keyword error Frank Knobbe (Oct 23)
- Re: New rules keyword error John Creegan (Oct 23)
- Re: New rules keyword error Andreas Östling (Oct 23)
- Re: New rules keyword error Jason Haar (Oct 24)
- Re: New rules keyword error Chris Green (Oct 24)
- Re: New rules keyword error Andreas Östling (Oct 23)
- Re: New rules keyword error John Creegan (Oct 23)
(Thread continues...)