[Snort-users] Strange Key Words
mkettler at ...4108...
Tue Nov 18 09:30:06 EST 2003
At 04:41 PM 11/15/2003, wbradd wrote:
>I downloaded the current rules list along with 2.0.4.
>I run this on solaris. (solaris 9)
>When attempting to start snort, I get the following key word errors:
>unknown keyword pcre
>unknown keyword isdataat
>I also had to disable http_inspect.
Technically the "snortrules-current" is a development release of the rules
and needs to only work with the "snort-current" development snapshot of
snort itself. You need to recognize that snort uses the debian-ish standard
where "current" implies "latest CVS development release that may not even
compile, much less work".
Since 'current' rules are a development version they don't work with the
snort 2.0.4 release without a development patch..
Either use the rules that come with 2.0.4, use the snortrules-stable
ruleset with 2.0.4, use the snort-current CVS release of snort, or apply
the PCRE (precompiled regex) patch to snort 2.0.4.
You can try to mix snortrules-current with released versions of snort, and
most of the time this works, but it's never guaranteed.
The snort-pcre patch is available on the snort website.
The fact that the current rules use PCRE is a side-effect of the
development effort to convert snort to using PCRE as a standard component,
and for the standard ruleset to use PCRE where appropriate. This means that
the "current" aka development, rules and source use PCRE.
More information about the Snort-users