[Snort-users] Error from rule file (IDS409?)

Martin Roesch roesch at ...421...
Thu Jan 18 02:59:53 EST 2001


Depth, offset and case options need to be associated with a specific
content option.  Since there may be multiple content options in a single
rule, you need to "prime" the other options with a starting content
option.  In the rule below, you need to put the "content" keyword as the
first option before the "depth" and "nocase" keywords.

     -Marty

Habu Takuya wrote:
> 
> I'm a newbie for snort.
> I got new rule file from "Indivisual Rules by type"
> of snort downloads page Updated 12/12/2000
> (i.e. http://www.snort.org/Files/rule_breakout/xxx )
> and ran snort-1.6.3-patch2 with these rule on
> Redhat Linux 6.0, then an error occured.
> 
> # /usr/local/bin/snort -d -b -c snort-lib -l snortlog -h 10.xxx.xxx.xxx/32
> 
> then,
> 
> ERROR Line 5 => Please place "content" rules before depth, nocase or offset
> modifiers.
> 
> there is the following line in snort-lib:
> include /etc/snort/misc
> 
> and this is line 5 of /etc/snort/misc (the same as that of
> http://www.snort.org/Files/rule_breakout/misc ):
> alert tcp !$HOME_NET any -> $HOME_NET 70 (msg: "IDS409-gopher-proxy"; flags:
> AP; depth: 4; content: "ftp|3a|"; nocase; content: "@/";)
> 
> I put "#" at the top of this line, then snort ran correctly.
> 
> Is there something wrong in this rule?
> Or did I make a mistake?
> 
> Regards,
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list