[Snort-users] snort rules not being read

John Sage jsage at ...2022...
Sun Sep 8 10:49:02 EDT 2002


On Thu, Sep 05, 2002 at 07:26:12AM -0400, Donnie Green wrote:
> I made the recommended changes and it looks like the rules are being 
> read--although I had to make a link "ln -s /etc/conf/snort.conf 
> /etc/snort.conf".  Now it seems as though I have a faulty 
> rule(bad-traffic.rules).  Just to see, I commented out the rule in 
> /etc/conf/snort.conf and I received an error in the next rule.  It appears 
> as if the rules aren't using the correct syntax??  Following is the output 
> of the command "snort".
> <prompt> snort
> Log directory = /var/log/snort


> ERROR /etc/snort/bad-traffic.rules(20) => Bad protocol name ">134"
> Fatal Error, Quitting..

In my bad-traffic.rules (snort 1.8.7) this line is commented-out:

# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC \
 Unassigned/Reserved IP protocol"; ip_proto:>134; \
 classtype:non-standard-protocol; sid:1627; rev:1;)

as is the next:

# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC \
 Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; \
 ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89; \
 classtype:non-standard-protocol; sid:1620; rev:2;)

You might try this...

- John
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

More information about the Snort-users mailing list