[Snort-users] Snort 2.3.1 Error parsing Bleeding rules

Basselgia, Barry A Mr (NAF Atsugi) BABasselgia at ...12104...
Thu Mar 10 17:16:25 EST 2005


I just tried setting up Snort 2.3.1, and it's having problems parsing the
Bleeding Rules.  The same snort.conf with the same .rules file works fine
with Snort 2.3.0.

Here is the error:

 FATAL ERROR: Unterminated rule in file
/etc/snort/bleed/bleeding-attack_response.rules, line 57    (Snort rules
must be contained on a single line or on multiple lines with a '\'
continuation character at the end of the line,  make sure there are no
carriage returns before the end of this line).

I double checked line 57 in the rules file and it looks ok to me.  Here are
lines 56-58 of the file:

alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC
- Private message on non-std port"; content:"PRIVMSG "; nocase; offset:0;
depth:8; dsize:<128; flow:to_server,established; tag:session,300,seconds;
classtype:trojan-activity; sid:2000347; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC
- Channel JOIN on non-std port"; content:"JOIN "; offset:0; depth:5; nocase;
pcre:"/&|#|\+|!/R"; dsize:<64; flow:to_server,established;
tag:session,300,seconds; classtype:trojan-activity; sid:2000348; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC
- DCC file transfer request on non-std port"; flow:to_server,established;
content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC SEND";
nocase; tag:session,300,seconds; classtype:policy-violation; sid:2000349;
rev:3;)

Any ideas what could be causing this??

Barry





More information about the Snort-users mailing list