[Snort-users] Stable Snort Rules fails?

matt mkettler at ...4108...
Sat Jun 1 12:28:11 EDT 2002

It sounds like Juan is using one of the rule management tools that has an 
unfortunate 'feature' in it's default mode.

I forget the name of the tool offhand, and in a quick search i could not 
find the information I needed, however as I recall there is a rules 
management tool that will by default uncomment all rules in the downloaded 
set prior to merging it with the existing set. There's a commandline switch 
to inhibit this behavior.

I recall this being discussed on-list several months ago, the author of the 
tool had commented on-list that he wished he had made the "don't uncomment 
rules" behavior the default.

At 02:17 PM 5/31/2002 -0700, Erek Adams wrote:
>On Fri, 31 May 2002, Juan Pablo Villaverde wrote:
> >
> > I have installed Snort 1.8.6 build 151, when I download the stable
> > rules from snort:
> > (http://www.snort.org/dl/signatures/snortrules.tar.gz)
> >
> > I get the following error:
> >
> > ERROR .//bad-traffic.rules(19) => Bad protocol name ">134"
> > Fatal Error, Quitting..
> >
> > This rule must be OK... but fails!! Why?
>Errr...  I just grabbed the same file.  That rule is #19, and it's commented
>out along with #20.
># alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC
>Unassigned/Reser ved IP protocol"; ip_proto:>134;
>classtype:non-standard-protocol; sid:1627;  rev: 1;)
>Usually if a rule is commented out in the rules distro, it was done for a
>reason. :)
>Erek Adams
>Don't miss the 2002 Sprint PCS Application Developer's Conference
>August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list