[Snort-users] help...initializing snort

Martin Roesch roesch at ...421...
Fri Oct 6 23:26:23 EDT 2000


Sounds like there's a carriage return in a line or something someplace it
shouldn't be.  The Snort rules parser can be pretty finicky sometimes.  Can
you post your rules file up for us to look at?

     -Marty

Michael Packer wrote:
> 
> Hello,
> 
> I'm trying to setup Snort v1.6 (will move to 1.6.3 later)
> 
> i installed from the rpm under redhat 6.2
> 
> when i run snort -v i get lots of data going through...
> 
> i've put the rules file i got from the web in /etc/snort as 10500.txt
> (there are already a bunch of files in there: backdoor-lib, misc-lib
> etc)
> 
> when i try to run snort with the following:
> 
> snort -h 1.2.3.4 -d -A fast -c /etc/snort/10500.txt -p -s -i eth1 i always
> get this error:
> 
> ERROR line /etc/snort/10500.txt (13) => Unknown rule type ((null))
> 
> well line 13 of that file is:
> 
> a blank line.
> 
> there are 3 lines above it (preprocessor lines) and then a bunch of comments..this
> is actually the first few lines of 10500.txt
> with my ip address changed of course...
> 
> preprocessor http_decode: 80 443 8080
> preprocessor minfrag: 128
> preprocessor portscan: 12.23.34.45/32 3 5 /var/log/snort_portscan.log
> #                      ^^^^^^^^^^^    ^ ^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^
> #                               |     | |              |
> #Your IP address or Network here+     | |              |
> #                                     | |              |
> #Ammount of ports being connected-----+ |              |
> #   in this                             |              |
> #Interval (in seconds)------------------+              |
> #                                                      |
> #Log file (path/name)----------------------------------+
> 
> #preprocessor portscan-ignorehosts: Hosts to ignore in portscan detection
> 
> can anyone help???
> 
> thanks!
> 
> __________________________________________________
> FREE voicemail, email, and fax...all in one place.
> Sign Up Now! http://www.onebox.com
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list