[Snort-users] Error from rule file (IDS409?)

Habu Takuya habu at ...1066...
Thu Jan 4 00:02:09 EST 2001


I'm a newbie for snort.
I got new rule file from "Indivisual Rules by type"
of snort downloads page Updated 12/12/2000
(i.e. http://www.snort.org/Files/rule_breakout/xxx )
and ran snort-1.6.3-patch2 with these rule on
Redhat Linux 6.0, then an error occured.

# /usr/local/bin/snort -d -b -c snort-lib -l snortlog -h 10.xxx.xxx.xxx/32

then,

ERROR Line 5 => Please place "content" rules before depth, nocase or offset
modifiers.

there is the following line in snort-lib:
include /etc/snort/misc

and this is line 5 of /etc/snort/misc (the same as that of
http://www.snort.org/Files/rule_breakout/misc ):
alert tcp !$HOME_NET any -> $HOME_NET 70 (msg: "IDS409-gopher-proxy"; flags:
AP; depth: 4; content: "ftp|3a|"; nocase; content: "@/";)

I put "#" at the top of this line, then snort ran correctly.

Is there something wrong in this rule?
Or did I make a mistake?

Regards,






More information about the Snort-users mailing list