Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Why all the rules parsing errors?

From: Don Heffernan <donheff () cais net>
Date: Sat, 04 Aug 2001 20:35:45 -0400
Thanks to everyone who wrote.  I had simply left the old executable in place when I
installed the new version.  Once I corrected that and commented out about 50 rules it is
working fine.  When I get a few minutes I will try to figure out what is up with the
non-working rules.

Thanks,

Don

Dragos Ruiu wrote:


I have parsing the keywords for correctness still on my todo....

cheers,
--dr

On Sat, 04 Aug 2001, Don Heffernan wrote:

You are probably correct.  I installed an rpm over a previous version I compiled
myself from source.  As you might guess, I am not clear on how all this works.  By
the way, while I was screwing around I found your snortpp program and got it
going.  It cleaned up all of my rules and put them in one file - but of course my
parsing errors remain.  I will screww around some more and report back.

Thanks,

Don

Dragos Ruiu wrote:


Hunch:

You did the make and then you didn't do the make install
and the old snort is earlier in your path than ./snort....
(Not that I would ever make such a silly mistake, nope...
 Just a hunch... ;-)

cheers,
--dr

On Sat, 04 Aug 2001, Andrew R. Baker wrote:

It sounds like you are somehow still running the old version of snort.
What version is it reporting when it starts up?

-Andrew

--- Don Heffernan <donheff () cais net> wrote:

I just upgraded from snort 1.3 or something to 1.8p1. I then downloaded
the latest ruleset I saw posted (1.7). I had to edit snort.conf to get
lots of spaces out and finally got it working, but when it gets to the
rules include files I am getting errors that would indicate that most of
the rules are invalid.

The first error (line 4 in exploits) is "bad TCP flag = "+". The
relevant portion of the line reads: "...; flags: A+; content:..." The
problem is there are countless lines that use this same construction -
are they all wrong?

 I commented out the first 7 lines in exploits (passing by the first
bunch of A+ lines) and then got an error in line 8: "Unknown Keyword
"reference" in rule! Once again, the error is present in countless
lines. The relevant section of line 8 is: "...; reference:
arachnids,492;)"

Can anyone help me out here? If you hadn't already guessed I am not
familiar with the proper syntax.

--
Don Heffernan
heffernan.cais.net



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc


--
Don Heffernan
heffernan.cais.net

--
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc


--
Don Heffernan
heffernan.cais.net



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: