[Snort-sigs] Flowbits error on the latest Sig's?

Matthew Watchinski mwatchinski at ...435...
Tue Mar 1 17:37:00 EST 2005


Do you have local rules that use flowbits and/or bleeding rules that use 
flowbits?  If you do then you will have to add the following to snort.conf.

config flowbits_size: <some integer greater than 32 which is the default>

Cheers,
-matt

Bristol, Gary L. wrote:

> Mar  1 18:07:59 tsc01 snort: PID path stat checked out ok, PID path set
>to /var/run/ 
>Mar  1 18:07:59 tsc01 snort: Writing PID "2785" to file
>"/var/run//snort_eth0.pid" 
>Mar  1 18:07:59 tsc01 snort: Parsing Rules file /etc/snort/snort.conf 
>Mar  1 18:07:59 tsc01 snort: ,-----------[Flow
>Config]---------------------- 
>Mar  1 18:07:59 tsc01 snort: | Stats Interval:  0 
>Mar  1 18:07:59 tsc01 snort: | Hash Method:     2 
>Mar  1 18:07:59 tsc01 snort: | Memcap:          10485760 
>Mar  1 18:07:59 tsc01 snort: | Rows  :          4099 
>Mar  1 18:07:59 tsc01 snort: | Overhead Bytes:  16400(%0.16) 
>Mar  1 18:07:59 tsc01 snort:
>`---------------------------------------------- 
>Mar  1 18:07:59 tsc01 snort: rpc_decode arguments: 
>Mar  1 18:07:59 tsc01 snort:     Ports to decode RPC on: 111 32771  
>Mar  1 18:07:59 tsc01 snort:     alert_fragments: INACTIVE 
>Mar  1 18:07:59 tsc01 snort:     alert_large_fragments: ACTIVE 
>Mar  1 18:07:59 tsc01 snort:     alert_incomplete: ACTIVE 
>Mar  1 18:07:59 tsc01 snort:     alert_multiple_requests: ACTIVE 
>Mar  1 18:07:59 tsc01 snort: telnet_decode arguments: 
>Mar  1 18:07:59 tsc01 snort:     Ports to decode telnet on: 21 23 25 119
>
>Mar  1 18:08:00 tsc01 snort: FATAL ERROR: FLOWBITS ERROR: The number of
>flowbit IDs in the current ruleset exceed the maximum number of ID
>s that are allowed. 
>Mar  1 18:08:00 tsc01 kernel: device eth0 left promiscuous mode
>
>Snort version 2.3.0
>
>
>-------------------------------------------------------
>SF email is sponsored by - The IT Product Guide
>Read honest & candid reviews on hundreds of IT Products from real users.
>Discover which products truly live up to the hype. Start reading now.
>http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>  
>





More information about the Snort-sigs mailing list