[Snort-users] Anybody know how to fix this error?
toortog at ...11827...
Fri Sep 12 16:44:07 EDT 2008
Thank you for the suggestion. cat -v * (on the rules dir) didn't really
help me much since it gave me a slew of entries that looked normal.
Obviously.. IT IS NOT OBVIOUS since I'm asking for help. I did not assign
the PORTVAR variable with/to "ANY". I do the normal routine of pushing VRT
rules that has worked before and I did not do anything special this time
other than review and uncomment a few rules that the VRT team commented. I
also did NOT modify the snort.conf, which I may add... the same snort.conf
file (that's been working) that I've been using for a while now!
Magic fix... removed previously tar'd dirs, untarred it again, and somehow
it's good to go. Somehow something got corrupted and since doing an egrep
for PORTVAR didn't show squat and I need the stuff to be up, I had to just
redo the procedure and push each categorized rule[s] one at a time (hoping
it will at least point me to a rule that was syntactically incorrect) --
which fortunately it didn't.
On Fri, Sep 12, 2008 at 4:09 PM, Paul Schmehl <pschmehl_lists at ...14358...>wrote:
> --On Friday, September 12, 2008 3:39 PM -0400 Tommy Cansanay <
> toortog at ...11827...> wrote:
>> I was updating rules, restarted and got this...
>> FATAL ERROR: ***Rule--PortVar Parse error: (pos=4,error=not a number)
>> >>ANY >> ^
>> Anybody run into this? Better yet, how to fix it?
> It's pretty obvious, isn't it? You can't use "ANY" as the value of
> PORTVAR. It must be a number or number, comma or dash separated.
> Somewhere in the snort.conf file there is a line with the following:
> PORTVAR = ANY
> That line is invalid.
> Paul Schmehl
> As if it wasn't already obvious,
> my opinions are my own and not
> those of my employer.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users