Snort mailing list archives

Snort 2.3.1 Error parsing Bleeding rules

From: "Basselgia, Barry A Mr (NAF Atsugi)" <BABasselgia () atsugi navy mil>
Date: Fri, 11 Mar 2005 10:15:34 +0900

I just tried setting up Snort 2.3.1, and it's having problems parsing the
Bleeding Rules.  The same snort.conf with the same .rules file works fine
with Snort 2.3.0.

Here is the error:

 FATAL ERROR: Unterminated rule in file
/etc/snort/bleed/bleeding-attack_response.rules, line 57    (Snort rules
must be contained on a single line or on multiple lines with a '\'
continuation character at the end of the line,  make sure there are no
carriage returns before the end of this line).

I double checked line 57 in the rules file and it looks ok to me.  Here are
lines 56-58 of the file:

alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC
- Private message on non-std port"; content:"PRIVMSG "; nocase; offset:0;
depth:8; dsize:<128; flow:to_server,established; tag:session,300,seconds;
classtype:trojan-activity; sid:2000347; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC
- Channel JOIN on non-std port"; content:"JOIN "; offset:0; depth:5; nocase;
pcre:"/&|#|\+|!/R"; dsize:<64; flow:to_server,established;
tag:session,300,seconds; classtype:trojan-activity; sid:2000348; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC
- DCC file transfer request on non-std port"; flow:to_server,established;
content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC SEND";
nocase; tag:session,300,seconds; classtype:policy-violation; sid:2000349;
rev:3;)

Any ideas what could be causing this??

Barry



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 2.3.1 Error parsing Bleeding rules Basselgia, Barry A Mr (NAF Atsugi) (Mar 10)
- Re: Snort 2.3.1 Error parsing Bleeding rules Jason (Mar 10)
- Re: Snort 2.3.1 Error parsing Bleeding rules Jeremy Hewlett (Mar 10)