Snort mailing list archives
Re: PortVar lookup
From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Thu, 1 Jul 2010 14:40:00 -0400
Mike, I know when I threw your rule into my lab's local.rules file, I had to go and define $SMTP_PORTS, as this is no longer defined by default in snort.conf. Other than that, peachy. -Parker -----Original Message----- From: Kun, Mike [mailto:mkun () akamai com] Sent: Thursday, July 01, 2010 2:11 PM To: snort-users () lists sourceforge net Subject: [Snort-users] PortVar lookup -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just added a new local rule to look for outbound SMTP traffic exclusive of SMTP servers, but when I try to initialize Snort I get " FATAL ERROR: /etc/snort/rules/local.rules(1) ***Src PortVar Lookup failed on ''." The rule is alert tcp !$SMTP_SERVERS any -> $EXTERNAL_NET $SMTP_PORTS (msg:"LOCAL: Suspicious SMTP Traffic"; flow:established; content:"EHLO"; offset:0; classtype:misc-activity; sid:1000001;) This is working fine on an older version of Snort, so I assume I have to configure something... - -Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with OutlookGnuPG v1.2.3667 iQEcBAEBAgAGBQJMLNo7AAoJEMhWEt1OJPG/xk4IAMSRJg0z3jbleftWP589tB8f wSR5yWJiH5suUJRp4blMbUT5T2vnwbL7eynn4brPcZF+yr9qlfXoBsHOEtev4SwT e6x6FDVJE33sAXp/E9blzTSFBLiQ7G92oEPkw8Waa9VACAWBF4PPb8Kt1efJO7zD yCO5UwT4UVK+wuxBASZUtXiIAyw0ZqDPibhkN2n+GFWjpkVs2GcaezCd9fYIej1m vBOMdH3Uu/+sMBucH7O+Sf3BHiGUc73Xs+LAe1DwxAvDcHhBFmw8AzPnCgrIaLo8 49B9gdhFiYLhaUKGBCDWz8QbgqoNR9LFMYRVzfCQJKeNngCgvhqtm7nVEPi2IZk= =FshO -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PortVar lookup Kun, Mike (Jul 01)
- Re: PortVar lookup Crook, Parker (Jul 01)
- Re: PortVar lookup Kun, Mike (Jul 01)
- Re: PortVar lookup Crook, Parker (Jul 01)