Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange Key Words

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 18 Nov 2003 12:30:58 -0500
At 04:41 PM 11/15/2003, wbradd wrote:

I downloaded the current rules list along with 2.0.4.

I run this on solaris.  (solaris 9)

When attempting to start snort, I get the following key word errors:

unknown keyword pcre

and

unknown keyword isdataat

I also had to disable http_inspect.

Any ideas
Technically the "snortrules-current" is a development release of the rules and needs to only work with the "snort-current" development snapshot of snort itself. You need to recognize that snort uses the debian-ish standard where "current" implies "latest CVS development release that may not even compile, much less work".
Since 'current' rules are a development version they don't work with the snort 2.0.4 release without a development patch..
Either use the rules that come with 2.0.4, use the snortrules-stable ruleset with 2.0.4, use the snort-current CVS release of snort, or apply the PCRE (precompiled regex) patch to snort 2.0.4.
You can try to mix snortrules-current with released versions of snort, and most of the time this works, but it's never guaranteed. 

The snort-pcre patch is available on the snort website.
http://www.snort.org/dl/contrib/patches/
The fact that the current rules use PCRE is a side-effect of the development effort to convert snort to using PCRE as a standard component, and for the standard ruleset to use PCRE where appropriate. This means that the "current" aka development, rules and source use PCRE. 




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: