Snort

priyadarshan · 03-23-2009, 02:15 AM

I am running snort in the IPS mode.....

I have just started by writing simple rule

alert tcp any any -> any any (msg:"Japan Dave"

But when I run the snort.conf by command

sudo snort -Qc /etc/snort/snort.conf -l /etc/snort

I get an error message saying:./rules/local.rules => Each rule must contain a Rule-id.

TB0ne · 03-23-2009, 01:24 PM

Quote:

Originally Posted by priyadarshan

I am running snort in the IPS mode.....

I have just started by writing simple rule

alert tcp any any -> any any (msg:"Japan Dave"

But when I run the snort.conf by command

sudo snort -Qc /etc/snort/snort.conf -l /etc/snort

I get an error message saying:./rules/local.rules => Each rule must contain a Rule-id.

Right....so give the rule you added a Rule-ID header. Read the documentation.

priyadarshan · 03-24-2009, 12:50 AM

I cant get you.... even I read socumentation twice throughly........ But the thing is that they too have specified rule in such way only.......

Is there anything new that I need to add in rule?

TB0ne · 03-24-2009, 10:17 AM

Quote:

Originally Posted by priyadarshan

I cant get you.... even I read socumentation twice throughly........ But the thing is that they too have specified rule in such way only.......

Is there anything new that I need to add in rule?

Check this page http://www.snort.org/docs/snort_htma...3/node195.html for information on writing Snort rules.

Your error message says you need to give the rule an ID, which you haven't done. Give it one.

priyadarshan · 03-25-2009, 12:39 AM

Thanks......