Snort mailing list archives
Snort 2.3.1 Error parsing Bleeding rules
From: "Basselgia, Barry A Mr (NAF Atsugi)" <BABasselgia () atsugi navy mil>
Date: Fri, 11 Mar 2005 10:15:34 +0900
I just tried setting up Snort 2.3.1, and it's having problems parsing the Bleeding Rules. The same snort.conf with the same .rules file works fine with Snort 2.3.0. Here is the error: FATAL ERROR: Unterminated rule in file /etc/snort/bleed/bleeding-attack_response.rules, line 57 (Snort rules must be contained on a single line or on multiple lines with a '\' continuation character at the end of the line, make sure there are no carriage returns before the end of this line). I double checked line 57 in the rules file and it looks ok to me. Here are lines 56-58 of the file: alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - Private message on non-std port"; content:"PRIVMSG "; nocase; offset:0; depth:8; dsize:<128; flow:to_server,established; tag:session,300,seconds; classtype:trojan-activity; sid:2000347; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - Channel JOIN on non-std port"; content:"JOIN "; offset:0; depth:5; nocase; pcre:"/&|#|\+|!/R"; dsize:<64; flow:to_server,established; tag:session,300,seconds; classtype:trojan-activity; sid:2000348; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - DCC file transfer request on non-std port"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC SEND"; nocase; tag:session,300,seconds; classtype:policy-violation; sid:2000349; rev:3;) Any ideas what could be causing this?? Barry ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.3.1 Error parsing Bleeding rules Basselgia, Barry A Mr (NAF Atsugi) (Mar 10)
- Re: Snort 2.3.1 Error parsing Bleeding rules Jason (Mar 10)
- Re: Snort 2.3.1 Error parsing Bleeding rules Jeremy Hewlett (Mar 10)