[Snort-users] Snort rules touble.
mkettler at ...4108...
Fri Jun 21 10:09:04 EDT 2002
It would sound like you are trying to use rules which are for snort-current
(aka: development version) on a snort which is snort 1.8.6.
Either that or you are using a "rule management" tool (I forget the name..
hogwash was it?) that has a default behavior of uncommenting all the rules
before it runs. There's a command line switch to stop that.
Any rule with the word "flow" in it is not intended for snort 1.8.6 or
earlier, but 1.8.6's ruleset has a few with that keyword in it, which are
commented out in the files. Try re-extracting your rules files from the
snort 1.8.6 source tarball and not running them through any tools.
At 12:21 PM 6/21/2002 -0400, Jason Gauthier wrote:
>I just installed snort, so I'm a completely new user. I've been reading many
>documents about set up, configs, etc. I realize snort is a complicated
>piece of software.
>Anyway, I compiled and installed snort without issue. I extracted the
>rules, read the documentation on how to start it. I edit a snort.conf, and
>was ready to go.
>/opt/snort/bin/snort -dev -l /opt/snort/logs -c /opt/snort/etc/snort.conf
>Starts up and the errors out:
>ERROR /opt/snort/rules/bad-traffic.rules(19) => Bad protocol name ">134"
>Eh, Not too bad. So i read some more, and then edit the rule.
>I decide to comment it out, so I can fix it later, for now, I would like to
>get snort running.
>ERROR: /opt/snort/rules/exploit.rules(7) => Unknown keyword "flow" in rule!
>So, i check out this rule file and notice they all have "flow" in them.
>I now decide something is completely wrong :)
>This is "current", as I had the same problems with the rules with 1.8.6.
>Appreciate any insight.
More information about the Snort-users