Snort mailing list archives
Snort 2.9.1.1 sfportscan syntax changed?
From: Cees <celzinga () gmail com>
Date: Wed, 19 Oct 2011 13:19:12 +0200
Hello list, I'm trying to upgrade my Snort 2.8.6 to 2.9.1.1. I'm running into some problems with the sfportscan preprocessor. There seems to be an (undocumented?) change that invalidates the old syntax. It's best described with an example. Take the following Snort.conf: --- var HOME_NET [10.0.0.0/8] var TRUSTED_A [10.0.0.1/32] var TRUSTED_B [10.1.2.3/32] preprocessor sfportscan: \ watch_ip { $HOME_NET } \ ignore_scanners { $TRUSTED_A,$TRUSTED_B } --- Now if we check the configuration with Snort 2.9.1.1: ERROR: snort.conf(7) => Invalid ip_list to 'ignore_scanners' option. This used to work fine in 2.8.6.1. Specifying a single variable as ignore_scanners does work. Am I missing something? Thanks in advance, Cees ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.9.1.1 sfportscan syntax changed? Cees (Oct 19)
- Re: Snort 2.9.1.1 sfportscan syntax changed? Joel Esler (Oct 19)
- Re: Snort 2.9.1.1 sfportscan syntax changed? Cees (Oct 20)
- Re: Snort 2.9.1.1 sfportscan syntax changed? Joel Esler (Oct 19)