Re: snort rules not being read

[John Sage <jsage () finchhaven com>]

Donnie:

On Thu, Sep 05, 2002 at 07:26:12AM -0400, Donnie Green wrote:
> I made the recommended changes and it looks like the rules are being 
> read--although I had to make a link "ln -s /etc/conf/snort.conf 
> /etc/snort.conf".  Now it seems as though I have a faulty 
> rule(bad-traffic.rules).  Just to see, I commented out the rule in 
> /etc/conf/snort.conf and I received an error in the next rule.  It appears 
> as if the rules aren't using the correct syntax??  Following is the output 
> of the command "snort".
>
> <prompt> snort
> Log directory = /var/log/snort

<snip-a-lot>

> ERROR /etc/snort/bad-traffic.rules(20) => Bad protocol name ">134"
> Fatal Error, Quitting..

In my bad-traffic.rules (snort 1.8.7) this line is commented-out:

# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC \
 Unassigned/Reserved IP protocol"; ip_proto:>134; \
 classtype:non-standard-protocol; sid:1627; rev:1;)

as is the next:

# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC \
 Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; \
 ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89; \
 classtype:non-standard-protocol; sid:1620; rev:2;)


You might try this...


- John
-- 
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users