[Snort-users] Invalid rules

Matt Kettler mkettler at ...4108...
Mon Mar 4 10:33:12 EST 2002


Mike,

you've checked to see that classification.config is present along side your 
rules, which is good.. but it still looks like the classification.config is 
not properly setup. Paul's problem looks like it might be a typographical 
error in a rules file, as his output shows the file gets included before 
the rules files are loaded. I've never run demarc, but Paul might consider 
checking syslog, or trying to run snort directly from the command line to 
see what the real error messages are from snort itself, it might give him a 
better idea as to what is wrong.

As for Mike's problem:

Did you confirm that snorteth1.conf.tst contains an include for the 
classification.config like this one:

include classification.config

does it include it *before* any of the .rules files are included?

The "stock" snort.conf file includes the classification.config right above 
the comment block for the rules file section...
-----------------------

#
# Include classification & priority settings
#

include classification.config

####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at the following web sites:
#   http://www.snort.org
#   http://www.whitehats.com
<snip - more comment block>

include bad-traffic.rules
include exploit.rules
include scan.rules
...


At 11:28 AM 3/4/2002 -0500, Mike_Sands at ...5033... wrote:

>I think that you may be experiencing a similar issue that I am having. I
>have manually imported the new ruleset and attempted to restart
>snort/demarc. I get an error stating
>RROR ./snorteth1.conf.tst(1629) => Bad Priority setting "attempted-recon"
>ERROR ./snorteth1.conf.tst(1630) => Bad Priority setting "attempted-recon"
>ERROR ./snorteth1.conf.tst(1631) => Bad Priority setting "attempted-recon"
>ERROR ./snorteth1.conf.tst(1632) => Bad Priority setting "attempted-recon"
<snip>

>the syntax of the rules look fine and the classification.config file is
>there but snort just won't take the new ruleset.





More information about the Snort-users mailing list