[Snort-users] Error from rule file (IDS409?)
habu at ...1066...
Thu Jan 4 00:02:09 EST 2001
I'm a newbie for snort.
I got new rule file from "Indivisual Rules by type"
of snort downloads page Updated 12/12/2000
(i.e. http://www.snort.org/Files/rule_breakout/xxx )
and ran snort-1.6.3-patch2 with these rule on
Redhat Linux 6.0, then an error occured.
# /usr/local/bin/snort -d -b -c snort-lib -l snortlog -h 10.xxx.xxx.xxx/32
ERROR Line 5 => Please place "content" rules before depth, nocase or offset
there is the following line in snort-lib:
and this is line 5 of /etc/snort/misc (the same as that of
alert tcp !$HOME_NET any -> $HOME_NET 70 (msg: "IDS409-gopher-proxy"; flags:
AP; depth: 4; content: "ftp|3a|"; nocase; content: "@/";)
I put "#" at the top of this line, then snort ran correctly.
Is there something wrong in this rule?
Or did I make a mistake?
More information about the Snort-users