|
|
|
|
Snort Forums Archive
Archive Home » Rules » Oinkmaster killed my snort
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Oinkmaster killed my snort
Posted by skymoe on March 09, 2005 18:29:53
Every time I run oinkmaster I have problems getting snort (2.3.0) to start back up.
This is what I get when i run snort -c /etc/snort/snort.conf -T
ERROR: /etc/snort/rules/netbios.rules(47): unknown modifier "from_beginning"
Fatal Error, Quitting..
If I copy my old netbios.rules back to /etc/snort/rules/ I can get things working.
Is there something wrong with my system (most likely) or is something wrong in the latest "netbios.rules" |
|
Posted by novowels on March 12, 2005 09:23:40
we need the content around line 47 to know for sure but I suspect that you have an RC release of 2.3.0 before the from_beginning modifier was added to byte_jump.
looks like it was added in RC2
* Added from_beginning and multiplier options for byte_jump.
from_beginning skips bytes from the beginning of the content,
instead of from the location immediately following the number
of bytes to skip. multiplier takes a numeric argument, and
skips x times that number of bytes. Thanks again to Steve Sturges.
|
|
Posted by TBoNe on March 22, 2005 09:11:15
I ran into this EXACT same problem. I was using oink to automate my rules but oink was pulling the 2.3.0 ruleset and I was running 2.2.0 version of snort. I would doublecheck your oinkmaster.conf and make SURE its pulling rules for your version of snort. |
|
|
|
|
|
