Re: broke snort. file_data_ports

[Michael Scheidell <michael.scheidell () secnap com>]

http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html

and, just where does it say these will be in anywhere but file-identify.rules?



-----Original Message-----
From: Nigel Houghton [mailto:nhoughton () sourcefire com] 
Sent: Thursday, December 08, 2011 8:48 AM
To: Michael Scheidell
Cc: <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] broke snort. file_data_ports


 http://seclists.org/snort/2011/q4/246

 http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html

 http://blog.snort.org/2011/11/vrt-rule-update-for-11022011.html


On Dec 8, 2011, at 4:46 AM, Michael Scheidell wrote:

> didn't we decide YEARS AGO, not to arbitrarily add $VAR' to VRT rules?
> thank you for breaking this and waking me up at 4am
>
> Dec  8 03:06:13 scanner2 snort[3457]: FATAL ERROR: /etc/snort/rules/web-client.rules(142) ***PortVar Lookup failed on 
> '$FILE_DATA_PORTS'.
>
> oh, and its NOT in the distributed snort.conf file.
> pwd
> /usr/local/etc/snort
> scanner2.hackertrap.net# grep FILE_DATA_PORTS *
>
> no, i did NOT enable, as you see, these are in web-client.rules
>  
> file-identify.rules
>
>
> yes, your block says to add this. portvar FILE_DATA_PORTS 
> [$HTTP_PORTS,110,143]
>
> but, you should have left the mucked up rules in file-identify.rules, NOT put them into otherwise active rules.
> or, find some way to have a default, in the .rules, like first line would be:
>
> portvar FILE_DATA_PORTS? [$HTTP_PORTS,110,143]
>
>
> --
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> > | SECNAP Network Security Corporation
>       * Best Mobile Solutions Product of 2011
>       * Best Intrusion Prevention Product
>       * Hot Company Finalist 2011
>       * Best Email Security Product
>       * Certified SNORT Integrator
>
> This email has been scanned and certified safe by SpammerTrap(r).
> For Information please see http://www.spammertrap.com/
>
> ----------------------------------------------------------------------
> -------- Cloud Services Checklist: Pricing and Packaging Optimization 
> This white paper is intended to serve as a reference, checklist and 
> point of discussion for anyone considering optimizing the pricing and 
> packaging model of a cloud services business. Read Now!
> http://www.accelacomm.com/jaw/sfnl/114/51491232/______________________
> _________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com/
______________________________________________________________________  
  

------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of 
discussion for anyone considering optimizing the pricing and packaging model 
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!