[Snort-users] Unknown keyword "flow" in rule!

Frank Knobbe FKnobbe at ...649...
Sat Mar 30 16:11:10 EST 2002

Hash: SHA1

Hehe... I fell for that the other day myself. I believe you have to
download the snortrules-stable.tar.gz or something like that. At
least, not current.

If you update the rules from CVS (like I do), you need to specify the
- -r SNORT_1_8 tag.

The flow keyword seems to be something new in the 1.9 (?) version the
guys are currently working on. Maybe someone else can elaborate as to
what it does (yeah, I know it's for flow control, but will it replace
- -> or is it layer 7 specific?)


PS: I'm running 1.8.4 (build 101)

> -----Original Message-----
> From: Steve Ochani [mailto:jpegny at ...549...]
> Sent: Saturday, March 30, 2002 5:10 PM
> Hello all,
> I'm running snort 1.8.3 (prebuilt package) on SunOS 5.8 on a ultra
> 10.  
> I wanted to start to use 1.8.4 and snortrules-current.tar.gz.
> I removed 1.8.3 via pkgrm, wiped out the old rules and installed 
> snort-1.8.4-solaris8.pkg.gz and put 
> snortrules-current.tar.gz, configured snort.conf etc and tried 
> to start snort by using this command line
> /opt/snort/bin/snort -o -d -D -A fast -c /opt/snort/etc/snort.conf
> but I received the following error (in the /var/adm/messages) 
> ERROR: ./exploit.rules(7) => Unknown keyword "flow" in rule!
> I have also tried
> snort-current-sol8.pkg.gz
> (which is 1.8.3) and no go
> What am I doing wrong? Whould I build 1.8.4 from source (why 
> would that be diff then the 
> prebuilt package?)

Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.


More information about the Snort-users mailing list