[Snort-users] Payload detection options conf files

Joel Esler jesler at ...1935...
Thu Mar 22 09:17:06 EDT 2012


Unfortunately no. That rule has to have pkt_data specified in order for it to work. 

2.9.2.2 is slated for next week. You may have to just disable that one rule until your upgrade. 

-- 
Joel Esler

On Mar 22, 2012, at 4:52 AM, "Sacher, Désirée"<Desiree.Sacher at ...979...15556...> wrote:

> Hi Guys
>  
> I currently run Snort version 2.9.0.3. I know this is a very old version, but I’m waiting for version 2.9.2.2. To keep the system running current, I’ve been updating my snort.conf file so I could still download the 2.9.0.5 rules. I’ve been doing that for almost a year now and it has worked well enough. Now with the rules of version 2.9.1.2 it seems, that also Payload detection options have been changed. Where I can tweak those options, so I can manually add the pkt_data option and whatever else might throw compile errors?
>  
> Mar 22 09:14:37 idssensor snort[21853]:     Server side data is trusted
> Mar 22 09:14:37 idssensor snort[21853]: Sensitive Data preprocessor config:
> Mar 22 09:14:37 idssensor snort[21853]:     Global Alert Threshold: 25
> Mar 22 09:14:37 idssensor snort[21853]:     Masked Output: DISABLED
> Mar 22 09:14:37 idssensor snort[21853]:
> Mar 22 09:14:37 idssensor snort[21853]: +++++++++++++++++++++++++++++++++++++++++++++++++++
> Mar 22 09:14:37 idssensor snort[21853]: Initializing rule chains...
> Mar 22 09:14:37 idssensor snort[21853]: FATAL ERROR: /etc/snort/rules/botnet-cnc.rules(418) Unknown rule option: 'pkt_data'.
> Mar 22 09:14:37 idssensor cfengine:idssensor[21747]: Finished script /etc/init.d/snortd restart
> Mar 22 09:15:01 idssensor /usr/sbin/cron[22536]: (root) CMD (  /opt/hp/hp-health/bin/check-for-restart-requests)
>  
> It’s just to keep it running for 1 more month, I promise I’ll make a real update than ;)
>  
> Cheers
> des
> The content of this e-mail is intended only for the confidential use of the person addressed. 
> If you are not the intended recipient, please notify the sender and delete this e-mail immediately.
> Thank you.
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here 
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120322/6254da62/attachment.html>


More information about the Snort-users mailing list