[Snort-users] Snort complains about rules file

Joe McAlerney joey at ...155...
Fri Mar 30 12:24:33 EST 2001


Tom Sevy wrote:

> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> ERROR netbios.rules:7 => Port value missing in rule!
> 
> Here is what is in netbios.rules, as downloaded from snort.org:
> 
> #--------------
> # NETBIOS RULES
> #--------------
> # UPDATED 03/28/2001
> #
> alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DOS RFPoison";
> flags: A+; content: "|5C 0

EXTERNAL_NET is undefined.  It's interpreting the first "any" as the
network address, and therefore can not find a port.  If HOME_NET was
undefined, it would interpret "(msg:"NETBIOS" as the port number.

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+




More information about the Snort-users mailing list