Package: snort
Version: 2.3.2-3
Severity: normal
Snort reports error on the following rule:
alert ip 89.42.248.159/32 any -> 64.125.211.185/32 any ( tos: 0; ttl: 123;
ip_proto: 17; content: "|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|";
offset: 60; depth: 484; rawbytes; msg: "Filter-2249"; )
#snort -v -c local.rules
Running in IDS mode
Initializing Network Interface eth0
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file local.rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: Unterminated rule in file local.rules, line 7
(Snort rules must be contained on a single line or
on multiple lines with a '\' continuation character
at the end of the line, make sure there are no
carriage returns before the end of this line)
Fatal Error, Quitting..
I tried reducing content value to 10 `00's and Snort parsed the file just fine.
-- System Information:
Debian Release: testing/unstable
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-2-k7
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Versions of packages snort depends on:
ii adduser 3.64 Add and remove users and groups
ii debconf 1.4.51 Debian configuration management sy
ii libc6 2.3.2.ds1-22sarge3 GNU C Library: Shared libraries an
ii libpcap0.8 0.8.3-5 System interface for user-level pa
ii libpcre3 5.0-1.1 Perl 5 Compatible Regular Expressi
ii logrotate 3.7-5 Log rotation utility
ii snort-common 2.3.2-3 Flexible Network Intrusion Detecti
ii snort-rules-default 2.3.2-3 Flexible Network Intrusion Detecti
ii sysklogd [system-log- 1.4.1-17 System Logging Daemon
Versions of packages snort recommends:
pn snort-doc <none> (no description available)
-- debconf information:
snort/startup: boot
snort/please_restart_manually:
snort/stats_treshold: 1
* snort/address_range: 10.0.1.0/24
snort/options:
* snort/interface: eth0
* snort/stats_rcpt: root
snort/config_parameters:
snort/config_error:
snort/reverse_order: false
snort/disable_promiscuous: false
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
