Re: New rules keyword error

["Marc Quibell" <mquibell () fbfs com>]

Er...What?

Auto-updates are only bad if you screw them up, no? Now why were they screwed
up? Are you saying that the old nomenclature for "CVS Stable" no longer applies
to snort 2.0.x?

Snort is no good w/o auto-updates..no time to babysit processes.

Marc



On Wed, 22 Oct 2003, Marc Quibell wrote:


> Automatically downloaded new rules last night, as is every night, got
> errors in syslog:
>
> Unknown keyword 'isdataat'
> Unknown keyword 'pcre'
>
> in a few of the new rule files (exploit, ftp, imap, pop2, pop3, nnmp,
> smtp, misc). What are these keywords? Typos? Or did something (version)
> change? THX!


> > EREK ADAMS WROTE:

<Mr.MackeyVoice>
  See Kids?  Auto updates are bad, M'kay.
</Mr.MackeyVoice>

The new CVS version makes use of those new keywords.  Due to a little bit
of b0rkage, the -STABLE CVS tag had it's rules changed.

Simple fix:  Restore your rules from the backup.  You do have a backup
don't you? :)

Note to everyone who auto-updates rules:  What has happened is a prime
example on why auto-updates are not a 100% good thing.  Your best bet is
to have all of your local sensors update from a master server that you
manually update the rules on.  That eases administration, while at the
same time allows for human control and interaction.

Cheers!

-----
Erek Adams

   "When things get weird, the weird t




-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users