Snort mailing list archives

Re: Invalid rules

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 04 Mar 2002 13:33:38 -0500

Mike,

you've checked to see that classification.config is present along side yourrules, which is good.. but it still looks like the classification.config isnot properly setup. Paul's problem looks like it might be a typographicalerror in a rules file, as his output shows the file gets included beforethe rules files are loaded. I've never run demarc, but Paul might considerchecking syslog, or trying to run snort directly from the command line tosee what the real error messages are from snort itself, it might give him abetter idea as to what is wrong.


As for Mike's problem:

Did you confirm that snorteth1.conf.tst contains an include for theclassification.config like this one:


include classification.config

does it include it *before* any of the .rules files are included?

The "stock" snort.conf file includes the classification.config right abovethe comment block for the rules file section...

-----------------------

#
# Include classification & priority settings
#

include classification.config

####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at the following web sites:
#   http://www.snort.org
#   http://www.whitehats.com
<snip - more comment block>

include bad-traffic.rules
include exploit.rules
include scan.rules
...


At 11:28 AM 3/4/2002 -0500, Mike_Sands () elementk com wrote:

I think that you may be experiencing a similar issue that I am having. I
have manually imported the new ruleset and attempted to restart
snort/demarc. I get an error stating
RROR ./snorteth1.conf.tst(1629) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1630) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1631) => Bad Priority setting "attempted-recon"
ERROR ./snorteth1.conf.tst(1632) => Bad Priority setting "attempted-recon"

<snip>

the syntax of the rules look fine and the classification.config file is
there but snort just won't take the new ruleset.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Invalid rules Fontenot, Paul (Feb 27)
- <Possible follow-ups>
- Re: Invalid rules Mike_Sands (Mar 04)
  - Re: Invalid rules Matt Kettler (Mar 04)