Snort mailing list archives

RE: Snort rules touble.

From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Fri, 21 Jun 2002 10:48:36 -0600

On occasion things that might cause these type of errors, especially if
everything configured and compiled fine are syntax errors in the rules files
or the snort.conf file.  Perhaps you could go back through the files that
you recently changed and find the sections that you edited and see if there
is a missing semicolon, colon or parentheses or anything pertaining to
syntax.

-----Original Message-----
From: Jason Gauthier [mailto:jgauthier () lastar com]
Sent: Friday, June 21, 2002 10:21 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort rules touble.


Greetings-

I just installed snort, so I'm a completely new user. I've been reading many
documents about set up, configs, etc.  I realize snort is a complicated
piece of software.


Anyway, I compiled and installed snort without issue.  I extracted the
rules, read the documentation on how to start it.  I edit a snort.conf, and
was ready to go.

I executed:

/opt/snort/bin/snort -dev -l /opt/snort/logs -c /opt/snort/etc/snort.conf

Starts up and the errors out:
ERROR /opt/snort/rules/bad-traffic.rules(19) => Bad protocol name ">134"

Eh, Not too bad. So i read some more, and then edit the rule.  
I decide to comment it out, so I can fix it later, for now, I would like to
get snort running.

Immediately follows:
ERROR: /opt/snort/rules/exploit.rules(7) => Unknown keyword "flow" in rule!

So, i check out this rule file and notice they all have "flow" in them.
I now decide something is completely wrong :)

This is "current", as I had the same problems with the rules with 1.8.6.

Appreciate any insight.


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort rules touble. Jason Gauthier (Jun 21)
- Re: Snort rules touble. Ryan Russell (Jun 21)
- Re: Snort rules touble. Matt Kettler (Jun 21)
- <Possible follow-ups>
- RE: Snort rules touble. Slighter, Tim (Jun 21)
- RE: Snort rules touble. Jason Gauthier (Jun 21)
  - RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Jason Gauthier (Jun 21)
  - RE: Snort rules touble. Matt Kettler (Jun 21)
- RE: Snort rules touble. Slighter, Tim (Jun 21)
- RE: Snort rules touble. Slighter, Tim (Jun 21)
  - RE: Snort rules touble. Erek Adams (Jun 21)
    - RE: Snort rules touble. Andreas Östling (Jun 21)
    - RE: Snort rules touble. Erek Adams (Jun 21)
- RE: Snort rules touble. Slighter, Tim (Jun 21)

(Thread continues...)