Snort mailing list archives
Re: Snort 2.9.1.1 sfportscan syntax changed?
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 19 Oct 2011 13:03:28 -0400
This should have never worked, being that as you can't use variables in a preprocessor. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Oct 19, 2011, at 7:19 AM, Cees wrote:
Hello list, I'm trying to upgrade my Snort 2.8.6 to 2.9.1.1. I'm running into some problems with the sfportscan preprocessor. There seems to be an (undocumented?) change that invalidates the old syntax. It's best described with an example. Take the following Snort.conf: --- var HOME_NET [10.0.0.0/8] var TRUSTED_A [10.0.0.1/32] var TRUSTED_B [10.1.2.3/32] preprocessor sfportscan: \ watch_ip { $HOME_NET } \ ignore_scanners { $TRUSTED_A,$TRUSTED_B } --- Now if we check the configuration with Snort 2.9.1.1: ERROR: snort.conf(7) => Invalid ip_list to 'ignore_scanners' option. This used to work fine in 2.8.6.1. Specifying a single variable as ignore_scanners does work. Am I missing something? Thanks in advance, Cees ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.9.1.1 sfportscan syntax changed? Cees (Oct 19)
- Re: Snort 2.9.1.1 sfportscan syntax changed? Joel Esler (Oct 19)
- Re: Snort 2.9.1.1 sfportscan syntax changed? Cees (Oct 20)
- Re: Snort 2.9.1.1 sfportscan syntax changed? Joel Esler (Oct 19)