Snort mailing list archives

Re: Stable Snort Rules fails?

From: matt <mkettler () evi-inc com>
Date: Sat, 01 Jun 2002 15:29:01 -0400

It sounds like Juan is using one of the rule management tools that has anunfortunate 'feature' in it's default mode.

I forget the name of the tool offhand, and in a quick search i could notfind the information I needed, however as I recall there is a rulesmanagement tool that will by default uncomment all rules in the downloadedset prior to merging it with the existing set. There's a commandline switchto inhibit this behavior.

I recall this being discussed on-list several months ago, the author of thetool had commented on-list that he wished he had made the "don't uncommentrules" behavior the default.



At 02:17 PM 5/31/2002 -0700, Erek Adams wrote:

On Fri, 31 May 2002, Juan Pablo Villaverde wrote:

>
> I have installed Snort 1.8.6 build 151, when I download the stable
> rules from snort:
> (http://www.snort.org/dl/signatures/snortrules.tar.gz)
>
> I get the following error:
>
> ERROR .//bad-traffic.rules(19) => Bad protocol name ">134"
> Fatal Error, Quitting..
>
> This rule must be OK... but fails!! Why?

Errr...  I just grabbed the same file.  That rule is #19, and it's commented
out along with #20.

--

# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC
Unassigned/Reser ved IP protocol"; ip_proto:>134;
classtype:non-standard-protocol; sid:1627;  rev: 1;)

--

Usually if a rule is commented out in the rules distro, it was done for a
reason. :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Stable Snort Rules fails? Juan Pablo Villaverde (May 31)
- Re: Stable Snort Rules fails? Erek Adams (May 31)
- Message not available
  - Re: Stable Snort Rules fails? matt (Jun 01)