[Snort-users] Payload detection options conf files

Joel Esler jesler at ...1935...
Thu Mar 22 09:17:06 EDT 2012

Unfortunately no. That rule has to have pkt_data specified in order for it to work. is slated for next week. You may have to just disable that one rule until your upgrade. 

Joel Esler

On Mar 22, 2012, at 4:52 AM, "Sacher, Désirée"<Desiree.Sacher at ...979...15556...> wrote:

> Hi Guys
> I currently run Snort version I know this is a very old version, but I’m waiting for version To keep the system running current, I’ve been updating my snort.conf file so I could still download the rules. I’ve been doing that for almost a year now and it has worked well enough. Now with the rules of version it seems, that also Payload detection options have been changed. Where I can tweak those options, so I can manually add the pkt_data option and whatever else might throw compile errors?
> Mar 22 09:14:37 idssensor snort[21853]:     Server side data is trusted
> Mar 22 09:14:37 idssensor snort[21853]: Sensitive Data preprocessor config:
> Mar 22 09:14:37 idssensor snort[21853]:     Global Alert Threshold: 25
> Mar 22 09:14:37 idssensor snort[21853]:     Masked Output: DISABLED
> Mar 22 09:14:37 idssensor snort[21853]:
> Mar 22 09:14:37 idssensor snort[21853]: +++++++++++++++++++++++++++++++++++++++++++++++++++
> Mar 22 09:14:37 idssensor snort[21853]: Initializing rule chains...
> Mar 22 09:14:37 idssensor snort[21853]: FATAL ERROR: /etc/snort/rules/botnet-cnc.rules(418) Unknown rule option: 'pkt_data'.
> Mar 22 09:14:37 idssensor cfengine:idssensor[21747]: Finished script /etc/init.d/snortd restart
> Mar 22 09:15:01 idssensor /usr/sbin/cron[22536]: (root) CMD (  /opt/hp/hp-health/bin/check-for-restart-requests)
> It’s just to keep it running for 1 more month, I promise I’ll make a real update than ;)
> Cheers
> des
> The content of this e-mail is intended only for the confidential use of the person addressed. 
> If you are not the intended recipient, please notify the sender and delete this e-mail immediately.
> Thank you.
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here 
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120322/6254da62/attachment.html>

More information about the Snort-users mailing list