[Snort-users] Unknown argument to http_decode preprocessor:

Andreas Östling andreaso at ...236...
Mon Aug 12 14:08:05 EDT 2002


On Mon, 12 Aug 2002, Augustinho Catto wrote:

> Hi,
> Excuse me, I am a newbie but I think something is wrong becouse I
> downloaded a "stable" version of signatures. I used oinkmaster.pl
> and It was started from my cron to perform download from:
> url = http://www.snort.org/dl/signatures/snortrules.tar.gz

In snort.conf from the above url, the http_decode line
says "preprocessor http_decode: 80 -unicode -cginull", which works with
the 1.8 branch of snort. Your line is from the -current version of the
rules, which is not to be used with the 1.8 branch of snort.

The problem may be that you first had the -current rules and then
"updated" them to the stable version. By default, Oinkmaster does not
update snort.conf (for reasons mentioned in its README).
Or maybe you're simply pointing to the wrong snort.conf when starting
snort?

/Andreas





More information about the Snort-users mailing list