[Snort-users] Strange Key Words

Matt Kettler mkettler at ...4108...
Tue Nov 18 09:30:06 EST 2003

At 04:41 PM 11/15/2003, wbradd wrote:
>I downloaded the current rules list along with 2.0.4.
>I run this on solaris.  (solaris 9)
>When attempting to start snort, I get the following key word errors:
>unknown keyword pcre
>unknown keyword isdataat
>I also had to disable http_inspect.
>Any ideas

Technically the "snortrules-current" is a development release of the rules 
and needs to only work with the "snort-current" development snapshot of 
snort itself. You need to recognize that snort uses the debian-ish standard 
where "current" implies "latest CVS development release that may not even 
compile, much less work".

Since 'current' rules are a development version they don't work with the 
snort 2.0.4 release without a development patch..

Either use the rules that come with 2.0.4, use the snortrules-stable 
ruleset with 2.0.4, use the snort-current CVS release of snort, or apply 
the PCRE (precompiled regex) patch to snort 2.0.4.

You can try to mix snortrules-current with released versions of snort, and 
most of the time this works, but it's never guaranteed.

The snort-pcre patch is available on the snort website.

The fact that the current rules use PCRE is a side-effect of the 
development effort to convert snort to using PCRE as a standard component, 
and for the standard ruleset to use PCRE where appropriate. This means that 
the "current" aka development, rules and source use PCRE.

More information about the Snort-users mailing list