[Snort-users] Snort 2.8.6 not loading sensitive data rules

Ryan Jordan ryan.jordan at ...1935...
Fri May 7 16:35:26 EDT 2010


That keyword only works if the sensitive_data preprocessor is turned
on. README.sensitive_data should have a good default conf and an
explanation of what's going on.

On Fri, May 7, 2010 at 4:27 PM, Andy Berryman <aberryman at ...14758...> wrote:
> Ok, that took care of that error, but led to another.
>
>
> May  7 20:23:01 (none) snort[14603]: FATAL ERROR: /snort/conf/sensitive-data.rules(1) Unknown rule option: 'sd_pattern'.
>
>
>
> Thanks,
> Andy Berryman
>
>
>
>
>
> -----Original Message-----
> From: Ryan Jordan [mailto:ryan.jordan at ...1935...]
> Sent: Friday, May 07, 2010 3:18 PM
> To: Andy Berryman
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort 2.8.6 not loading sensitive data rules
>
> D'oh. This was a bug we had during development, looks like the bugfix
> didn't make it into the Snort tarball that we put on the website. I'll
> make sure this gets fixed in the next release.
>
> The rules sensitive-data.rules SHOULD say "alert tcp $HOME_NET ...",
> but instead they say "alert $HOME_NET ...". In the meantime, you can
> edit these rules to add in the word "tcp", there's only 5 rules so
> it's a quick fix.
>
> Sorry for the inconvenience.
>
> -Ryan
>
> On Fri, May 7, 2010 at 3:58 PM, Andy Berryman <aberryman at ...14758...> wrote:
>> When I try to have snort 2.8.6 load the sensitive data rules, I get an
>> error:
>>
>>
>>
>>
>>
>> May  7 19:35:47 (none) snort[9499]: FATAL ERROR: /snort
>> /conf/sensitive-data.rules(1) Bad protocol: $HOME_NET.
>>
>>
>>
>> I can post the rules if needed.
>>
>>
>>
>> Thanks,
>>
>> Andy Berryman
>>
>> ________________________________
>> This message from Cymtec Systems, Inc. contains confidential information and
>> is solely for the use of the recipient(s) named above. If you are not the
>> intended recipient or an agent responsible for delivering it to the intended
>> recipient, you are hereby notified that you have received this message in
>> error and that any review, disclosure, copying, distribution or use of the
>> contents of this message is strictly prohibited. If you have received this
>> message in error, please destroy it immediately and notify Cymtec Systems,
>> Inc. by telephone at +1.314.993.8700 or by return e-mail.
>> ________________________________
>>
>> ------------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
> ###############################################################################
> This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above.  If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited.  If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
> ###############################################################################
>




More information about the Snort-users mailing list