[Snort-users] Stable Snort Rules fails?
mkettler at ...4108...
Sat Jun 1 12:28:11 EDT 2002
It sounds like Juan is using one of the rule management tools that has an
unfortunate 'feature' in it's default mode.
I forget the name of the tool offhand, and in a quick search i could not
find the information I needed, however as I recall there is a rules
management tool that will by default uncomment all rules in the downloaded
set prior to merging it with the existing set. There's a commandline switch
to inhibit this behavior.
I recall this being discussed on-list several months ago, the author of the
tool had commented on-list that he wished he had made the "don't uncomment
rules" behavior the default.
At 02:17 PM 5/31/2002 -0700, Erek Adams wrote:
>On Fri, 31 May 2002, Juan Pablo Villaverde wrote:
> > I have installed Snort 1.8.6 build 151, when I download the stable
> > rules from snort:
> > (http://www.snort.org/dl/signatures/snortrules.tar.gz)
> > I get the following error:
> > ERROR .//bad-traffic.rules(19) => Bad protocol name ">134"
> > Fatal Error, Quitting..
> > This rule must be OK... but fails!! Why?
>Errr... I just grabbed the same file. That rule is #19, and it's commented
>out along with #20.
># alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC
>Unassigned/Reser ved IP protocol"; ip_proto:>134;
>classtype:non-standard-protocol; sid:1627; rev: 1;)
>Usually if a rule is commented out in the rules distro, it was done for a
>Don't miss the 2002 Sprint PCS Application Developer's Conference
>August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users