Snort mailing list archives

Re: Error when running snort built-in rules.

From: "Russ Combs \(rucombs\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Fri, 13 Sep 2024 14:56:17 +0000

It looks you are giving Snort 2 rules to Snort 3. Furthermore, the unknown keywords listed are not allowed in builtin 
rules.

Take a look at this:

https://blog.snort.org/2020/12/soft-release-lightspd-new-rules-package.html

If you still have issues post more details so we can get it sorted.

Russ

________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Alexander murithi via Snort-sigs <snort-sigs () 
lists snort org>
Sent: Thursday, September 12, 2024 3:04 AM
To: snort-sigs () lists snort org <snort-sigs () lists snort org>
Subject: [Snort-sigs] Error when running snort built-in rules.

Good morning,
I've been getting the following error while running snort against the built-in rules:


Loading /etc/snort/rules/info.rules:
ERROR: /etc/snort/rules/info.rules:24 unknown rule keyword: rawbytes.
ERROR: /etc/snort/rules/info.rules:24 unknown rule keyword: distance.
ERROR: /etc/snort/rules/info.rules:24 unknown rule keyword: rawbytes.
ERROR: /etc/snort/rules/info.rules:24 unknown rule keyword: distance.
ERROR: /etc/snort/rules/info.rules:24 unknown rule keyword: rawbytes.
ERROR: /etc/snort/rules/info.rules:25 unknown rule keyword: nocase.
ERROR: /etc/snort/rules/info.rules:26 unknown rule keyword: nocase.
ERROR: /etc/snort/rules/info.rules:29 unknown rule keyword: nocase.
ERROR: /etc/snort/rules/info.rules:30 unknown rule keyword: nocase.
ERROR: /etc/snort/rules/info.rules:32 unknown rule keyword: nocase.
ERROR: /etc/snort/rules/info.rules:32 unknown rule keyword: distance.
ERROR: /etc/snort/rules/info.rules:32 unknown rule keyword: nocase.
ERROR: /etc/snort/rules/info.rules:32 unknown rule keyword: within.
ERROR: /etc/snort/rules/info.rules:32 unknown rule keyword: distance.
ERROR: /etc/snort/rules/info.rules:32 unknown rule keyword: distance.
ERROR: /etc/snort/rules/info.rules:32 unknown rule keyword: within.
ERROR: /etc/snort/rules/info.rules:32 unknown rule keyword: distance.
Finished /etc/snort/rules/info.rules:

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Error when running snort built-in rules. Alexander murithi via Snort-sigs (Sep 12)
- Re: Error when running snort built-in rules. Russ Combs (rucombs) via Snort-sigs (Sep 13)