RE: Snort rules touble.

[Erek Adams <erek () theadamsfamily net>]

On Fri, 21 Jun 2002, Slighter, Tim wrote:

> If Jason is going to go with his intended build of 1.86 and would ultimately
> have to comment out anything using "flow", if he needs to stay with that
> build, then he might want to consider downloading the latest signatures from
> activeworx as well as the policy manager and integrating those into the
> rules to ensure that he is using some of the latest signatures.  Otherwise,
> it could be advantageous to move ahead to the daily snapshot and use the
> latest rules from current.

Actually, if you grab the latest rules from snort.org, you don't have the
"flow:" keyword in them at all.

> From http://www.snort.org/dl/signatures/snortrules.tar.gz:

  ghosts:tmp {114} tar -zxvf ~erek/snortrules.tar.gz
  ghosts:tmp {115} cd rules
  ghosts:rules {116} grep 'flow:' *.rules
  ghosts:rules {117}

If you see "flow:" in any of your rulesets, then you grabbed the 'wrong' rules
for 1.8.6.  You've somehow ended up with the 1.9 rulesets.

Snort.org should be the definitive site for all your snort rule needs.  :)
Hrmmmm....  "The Best Damn Snort Show Ever"...  I wonder if ESPN would like
that very much?  ;-)

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users