Snort mailing list archives
Re: Documentation!!
From: SN ORT <snort_on_acid () yahoo com>
Date: Wed, 11 Feb 2004 12:53:23 -0800 (PST)
FYI Matt Kettler --- Matt Kettler <mkettler () evi-inc com> wrote:
At 12:21 PM 2/11/2004, SN ORT wrote:Would it be possible to make the documents withmorecomplete examples.Possible, yes... are there any volunteers who have the spare time available to do so?
Yes, you being one of them. Seriously though, all readme's are written in the same cryptic format and one could use the SAME AMOUNT OF WORDS to create a more explanatory document.
(remember, this is open source.. the best way to get things done is to do them.) As for an example of how to use HTTP_INSPECT, why don't you just look in the stock snort.conf? There's an example right there.I used the config options, trying to figure out if these all go on the same line or different, tryingtofigure out by trial and error if I can use avariablefor the "servers" IP address, such as$HTTP_SERVERS!! Of course you can use a variable... snort.conf "variables" aren't really variables at all.. they are text substitution macros. You can use/abuse them for almost anything. (If you're a C programmer, think of var as if it were #define)
No you can't use the var nor do you use common CIDR on the http_inspect line. I think I've tried that newbie stuff already.
Heck, you could make an entire rule into a "variable" if you wanted to. # theoretically, this is legal. var $ALERT_ON_EVERYTHING alert ip any any -> any any (msg:"blah";) $ALERT_ON_EVERYTHING
Imagine that.
(so now how do I specify more than one?),The same way you do everywhere else.. AFAIK all of snort accepts the same IP address format. CIDR masks, and bracketed comma delimited lists.
Like i said that don't work.
There's nothing magic about "variables"... you can use bracketed lists anywhere in snort where you specify an IP address.
not in the decode lines you can't. If YOU looked in the snort.conf example, you wouldv'e noticed there are no braketed lists to specify the IP address or range when using the "preprocessor http_inspect_server: server 1.1.1.1 \" format.
found out for myself I have to use the "\" to specify more options, and then find out there has to be a space between the last character and the "\", and then finally find out that I can't even use all of the options per the error below.If you'd have looked at the example that is already in snort 2.1's snort.conf you'd have known about the \ thing.
How do you think I found that out? Only after searching in OTHER FILES. NOT the readme file associated with the http_inspect file.
Technically, the \ is used to cause more than one line to be treated as a single line.. basic unix 101.
OK, call me a dummy.
Thus, you don't need a \ per option, you need it if you go to a new line.. again look at snort.conf
Great. Thanks. Cheese! Marc __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Documentation!! SN ORT (Feb 11)
- Re: Documentation!! Matt Kettler (Feb 11)
- Re: Documentation!! SN ORT (Feb 11)
- Re: Documentation!! Matt Kettler (Feb 11)
- Re: Documentation!! SN ORT (Feb 11)
- <Possible follow-ups>
- RE: Documentation!! Mike Koponick (Feb 12)
- RE: Documentation!! SN ORT (Feb 12)
- RE: Documentation!! Michael Steele (Feb 12)
- Re: Documentation!! Matt Kettler (Feb 11)