Phone Lines icon GFI Support Home Start a conversation Sign in
Start a conversation
  1. KerioControl
  2. KerioControl - IPS
  3. Articles

Troubleshooting IPS Error: 'snort/rules/used.rules(836): byte_jump can't process more than 10 bytes'

Overview

If you are experiencing an issue where your error log is filled with the below error message and IPS is not correctly running, then this article is for you.

IPS Error: snort/rules/used.rules(836): byte_jump can't process more than 10 bytes! (1)

This problem arises from an IPS rule received from the provider that is not compatible with the current SNORT version.

Solution

The issue has been resolved in the backend by the Development team, starting with signature database version 3.457:

In case you are not yet on this version or above, please update the IPS signatures manually in order to fix the behavior.

In the unlikely even that you are not able to update IPS right away, you can remove the IPS rule causing the error, using the steps below:

  1. Login to SSH as per the article: Accessing Kerio Control's Shell Using SSH
  2. Execute the following set of command to remove the IPS rule: 
    nano +836 /var/winroute/snort/rules/used.rules
Ctrl+K
Ctrl+X
Y
Enter
    • The above sequence of commands reads the IPS rules file and gets you to the problematic line number
      • Note: the line number will be present in the error log entry, and you will need to adjust the command according to the line number from the error log. In the above example, the problematic rule was on line 836.
    • Afterwhich you can remove it (Ctrl+K) and then save it (Ctrl+X)
  3. Wait for 5-10 minutes while the IPS engine re-reads rules. The error should be gone after this.

Summary

This article provides a solution for the IPS Error: snort/rules/used.rules(836): byte_jump can't process more than 10 bytes! (1) issue. The problem is due to an IPS rule received from the provider, and the solution involves removing this rule via SSH and waiting for the IPS engine to re-read the rules.

FAQ

  1. What causes the 'IPS Error: snort/rules/used.rules(836): byte_jump can't process more than 10 bytes! (1)' issue?
    This issue is caused by a specific IPS rule received from the provider.
  2. What is the solution for this issue?
    The issue has been fixed by the development team in the backend, and you can benefit from the fix by updating the IPS signatures to at least version 3.457.
  3. What can I do in case I cannot update IPS right away?
    As a workaround you can remove the IPS rule by logging into SSH and executing a specific set of commands. After that, wait for 5-10 minutes for the IPS engine to re-read the rules.
Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments