Re: ERROR: snort.conf(79) Undefined variable in the string: !$ALL_PROX.

[Joel Esler <jesler () sourcefire com>]

Try removing the brackets around the ports.

J

On Tue, Jan 4, 2011 at 11:38 AM, <vincent () cojot name> wrote:

> Just as a side info, if I use the following syntax, it works:
>
> var PRX_SRV_80 [128.129.130.131/32]
> var PRX_SRV_8080 [128.129.130.132/32]
> var ALL_PROX [$PRX_SRV_80,$PRX_SRV_8080]
> alert tcp !$ALL_PROX ![21:23] -> $EXTERNAL_NET any (msg:'HELP')
>
> No '()'s...
>
> Any ideas?
>
> Vincent
>
> On Tue, 4 Jan 2011, vincent () cojot name wrote:
>
> > Hi everyone,
> >
> > In the neverending quest for making my network team people happy, I have
> > come accross the following problem. I have a block of configuration that
> > used variables referencing variables that doesn't work anymore in my
> > 2.9.0.3 builds.
> >
> > Here's the config block:
> > -------------------- CUT -------------------------
> > var PRX_SRV_80 [128.129.130.131/32]
> > var PRX_SRV_8080 [128.129.130.132/32]
> > var ALL_PROX [$(PRX_SRV_80),$(PRX_SRV_8080)]
> > alert tcp !$ALL_PROX ![21:23] -> $EXTERNAL_NET any (msg:'HELP')
> > -------------------- CUT -------------------------
> >
> > On my 2.9.0.2 builds, running 'snort -T -c snort.conf' gives:
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > 1 Snort rules read
> > [......]
> >    ,,_     -*> Snort! <*-
> >   o"  )~   Version 2.9.0.2 (Build 92)
> > [......]
> > Snort successfully validated the
> > configuration!
> > Snort exiting
> >
> > On my 2.9.0.3 builds, I now get this:
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > ERROR: snort.conf(79) Undefined variable in the string: !$ALL_PROX.
> > Fatal Error, Quitting..
> >
> > On my 2.9.0.3 builds, I used these extra options (relative to my 2.9.0.2
> > builds):
> >
> > --enable-ipv6 \
> > --enable-gre \
> > --enable-mpls \
> > --enable-ppm \
> > --enable-perfprofiling \
> > --enable-active-response \
> > --enable-normalizer \
> > --enable-reload \
> > --enable-react \
> >
> > Does anyone have any idea to explain why what used to work doesn't work
> > anymore....?
> >
> > Any help welcomed.. :)
>
>
> ------------------------------------------------------------------------------
> Learn how Oracle Real Application Clusters (RAC) One Node allows customers
> to consolidate database storage, standardize their database environment,
> and,
> should the need arise, upgrade to a full multi-node Oracle RAC database
> without downtime or disruption
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Joel Esler
Skype:eslerjoel
http://blog.snort.org

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users