[Snort-users] Strange Key Words

Matt Kettler mkettler at ...4108...
Tue Nov 18 09:30:06 EST 2003


At 04:41 PM 11/15/2003, wbradd wrote:
>I downloaded the current rules list along with 2.0.4.
>
>I run this on solaris.  (solaris 9)
>
>When attempting to start snort, I get the following key word errors:
>
>unknown keyword pcre
>
>and
>
>unknown keyword isdataat
>
>I also had to disable http_inspect.
>
>Any ideas

Technically the "snortrules-current" is a development release of the rules 
and needs to only work with the "snort-current" development snapshot of 
snort itself. You need to recognize that snort uses the debian-ish standard 
where "current" implies "latest CVS development release that may not even 
compile, much less work".

Since 'current' rules are a development version they don't work with the 
snort 2.0.4 release without a development patch..

Either use the rules that come with 2.0.4, use the snortrules-stable 
ruleset with 2.0.4, use the snort-current CVS release of snort, or apply 
the PCRE (precompiled regex) patch to snort 2.0.4.

You can try to mix snortrules-current with released versions of snort, and 
most of the time this works, but it's never guaranteed.

The snort-pcre patch is available on the snort website.
http://www.snort.org/dl/contrib/patches/

The fact that the current rules use PCRE is a side-effect of the 
development effort to convert snort to using PCRE as a standard component, 
and for the standard ruleset to use PCRE where appropriate. This means that 
the "current" aka development, rules and source use PCRE.






More information about the Snort-users mailing list