Snort mailing list archives
Re: Why all the rules parsing errors?
From: John Sage <jsage () finchhaven com>
Date: Sat, 04 Aug 2001 15:51:38 -0700
Did you check *where* the current install put the executable, and did you make sure that you're running *that* executable?
(Which is kinda the answer suggested by Andrew..) What do you get if you say "which snort"?I had to twiddle with some symlinks to get everything to play nice, which means that I wanted to still have a useable 1.7 when I put 1.8.1-beta4 on...
- John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." Andrew R. Baker wrote:
It sounds like you are somehow still running the old version of snort. What version is it reporting when it starts up?-Andrew --- Don Heffernan <donheff () cais net> wrote:I just upgraded from snort 1.3 or something to 1.8p1. I then downloaded the latest ruleset I saw posted (1.7). I had to edit snort.conf to get lots of spaces out and finally got it working, but when it gets to the rules include files I am getting errors that would indicate that most of the rules are invalid. The first error (line 4 in exploits) is "bad TCP flag = "+". The relevant portion of the line reads: "...; flags: A+; content:..." The problem is there are countless lines that use this same construction - are they all wrong? I commented out the first 7 lines in exploits (passing by the first bunch of A+ lines) and then got an error in line 8: "Unknown Keyword "reference" in rule! Once again, the error is present in countless lines. The relevant section of line 8 is: "...; reference: arachnids,492;)" Can anyone help me out here? If you hadn't already guessed I am not familiar with the proper syntax. -- Don Heffernan heffernan.cais.net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why all the rules parsing errors? Don Heffernan (Aug 04)
- Re: Why all the rules parsing errors? Andrew R. Baker (Aug 04)
- Re: Why all the rules parsing errors? Dragos Ruiu (Aug 04)
- Message not available
- Message not available
- Re: Why all the rules parsing errors? Don Heffernan (Aug 04)
- Re: Re: Why all the rules parsing errors? Shawn Foley (Aug 04)
- Re: Why all the rules parsing errors? Dragos Ruiu (Aug 04)
- Re: Why all the rules parsing errors? Andrew R. Baker (Aug 04)