Snort Failing While Reading Rules File

[Jim Campbell via Snort-users <snort-users () lists snort org>]

I'm running Snort inline as an IPS system.

I upgraded Snort to 2.9.14.1 just over a week ago. Once it was running, 
with the same disablesid.conf I was using before the update I began 
receiving a lot of alerts that I hadn't been receiving before. The sids 
were 120:5, 120:7, 120:8, 129:5, 129:18, 129:20 and 142:2.

I gradually began adding the sids giving the most alerts to the 
disablesid.conf file. Each time I update the disablesid.conf file I run 
pulledpork and restart snort.

This morning I added 120:7 and 129:5 to the disablesid.conf file.

Snort was running just fine until I updated my rules file. After the 
update I restarted Snort as I usually do. While reading the rules file 
snort failed. Here are the messages I received:

WARNING: /etc/snort/rules/snort.rules(756) threshold (in rule) is 
depreciated; use detection_filter instead.
ERROR: /etc/snort/rules/snort.rules(2478) Flowbits: Invalid token noreject.

I realize the first message isn't an error, I just included it for context.

I commented out this rule and restarted Snort. I received an error on a 
different pair of rules. Commented out that pair of rules, same results.

I downloaded the rules again, same results.

After some experimenting I learned that if I remove sids 120:7 and 129:5 
from the disablesid.conf file, re-run pulledpork and restart snort it no 
longer fails.

Jim Campbell

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette