[Snort-users] Warning after rules update

Joel Esler jesler at ...1935...
Wed Sep 11 09:45:54 EDT 2013


On Sep 11, 2013, at 7:11 AM, Y M <snort at ...15979...> wrote:

> After running an update to the latest rules tarball (2.9.5.3), I get the following warning:
> 
> "WARNING: /path/to/snort.rules(8912) at most one HTTP buffer may be indicated with pcre"
> 
> Line 8912 points to sid:6343. I am using PulledPork v0.7.0 to generate the rules. Any ideas why?

Yes.  The pcre read “HsmiH”.

I fixed it.  It’ll be in the next rule release.  


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130911/37220201/attachment.html>


More information about the Snort-users mailing list