[Snort-users] Current Rule Set

Matt Kettler mkettler at ...4108...
Mon Jun 10 17:15:07 EDT 2002

I'd wager that you downloaded new rules, but used your old snort.conf with 
the new .rules files, and it's complaining about SHELLCODE_PORTS.

The new rules tarball should have a snort.conf in it, with some new 
variables in it needed for the shellcode rules. Copy the "var 
SHELLCODE_PORTS" line from that conf file into your existing snort.conf and 
you should be ok.

Remember, the snort.conf is included in the rules tarball for a good reason 
and should not be overlooked :) (it isn't there as a decoration).

FAQ maintainer: suggestion, add the "I just downloaded a new ruleset and 
snort complains that XXXX is undefined" to the FAQ. Something along the 
lines of this:

Q: I just downloaded a new ruleset and now snort fails complaining about 
the rules.

         First, make sure you downloaded the right ruleset for your version 
of snort. Snort.org generally hosts a ruleset for the released version of 
snort, as well as rules for the development branch and sometimes copies for 
older versions of snort. This is generaly the case for "unknown keyword in 
rule" type errors.
         If you have the rules that are correct for your version of snort 
be aware that the snort rules tarball contains a snort.conf file. From time 
to time the snort.conf included with the rules gets changed as new .rules 
files are added, and new variables are added to support a better ruleset. 
When downloading new rulesets you should always give the included 
snort.conf a quick look-over to see if new includes or vars have been 
added, or at least be aware you should consult it if things do not work as 
expected. This is generally the case if you get messages indicating that 
something is undefined in a rule.

At 04:49 PM 6/10/2002 -0500, Hall, Duane wrote:
>I just loaded the current rule set and am getting rule errors when
>loading snort.  Is there any way for snort to tell me which rules are
>having errors?  It tells me that there are bad ports.
>Duane Hall
>Security Administrator
>Hastings Entertainment, Inc.
>806-351-2300 X-3945
>54 68 65 72 65 20 69 73 20 6e 6f 74 68 69 6e 67 20 68 65 72 65 2e
>Don't miss the 2002 Sprint PCS Application Developer's Conference
>August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list