Snort mailing list archives
Re: Invalid rules
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 04 Mar 2002 13:33:38 -0500
Mike,you've checked to see that classification.config is present along side your rules, which is good.. but it still looks like the classification.config is not properly setup. Paul's problem looks like it might be a typographical error in a rules file, as his output shows the file gets included before the rules files are loaded. I've never run demarc, but Paul might consider checking syslog, or trying to run snort directly from the command line to see what the real error messages are from snort itself, it might give him a better idea as to what is wrong.
As for Mike's problem:Did you confirm that snorteth1.conf.tst contains an include for the classification.config like this one:
include classification.config does it include it *before* any of the .rules files are included?The "stock" snort.conf file includes the classification.config right above the comment block for the rules file section...
----------------------- # # Include classification & priority settings # include classification.config #################################################################### # Step #4: Customize your rule set # # Up to date snort rules are available at the following web sites: # http://www.snort.org # http://www.whitehats.com <snip - more comment block> include bad-traffic.rules include exploit.rules include scan.rules ... At 11:28 AM 3/4/2002 -0500, Mike_Sands () elementk com wrote:
I think that you may be experiencing a similar issue that I am having. I have manually imported the new ruleset and attempted to restart snort/demarc. I get an error stating RROR ./snorteth1.conf.tst(1629) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1630) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1631) => Bad Priority setting "attempted-recon" ERROR ./snorteth1.conf.tst(1632) => Bad Priority setting "attempted-recon"
<snip>
the syntax of the rules look fine and the classification.config file is there but snort just won't take the new ruleset.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Invalid rules Fontenot, Paul (Feb 27)
- <Possible follow-ups>
- Re: Invalid rules Mike_Sands (Mar 04)
- Re: Invalid rules Matt Kettler (Mar 04)