Re: broke snort. file_data_ports

[Nigel Houghton <nhoughton () sourcefire com>]

The variable is in the snort.conf that ships with the VRT tar ball. It doesn't matter which rule file the variable is 
used in. The rule files are there for sorting convenience, if you use tools like Pulled Pork all the rules you use will 
be placed in one file anyway.

Quoting the post...

Action items for you:

#1. You'll need to add the above variable to your snort.conf, use the snort.conf in the VRT tarball, or download the 
new snort.conf .

#2. If you are using the Sourcefire product, or PulledPork, the change should be minimal. The Sourcefire product and 
PulledPork perform flowbit auto-enabling and resolution. If you are using another tool to mange your installation, you 
will need to pay attention to this rule category.

On Dec 8, 2011, at 8:49 AM, Michael Scheidell wrote:

> http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html
>
> and, just where does it say these will be in anywhere but file-identify.rules?
>
>
>
> -----Original Message-----
> From: Nigel Houghton [mailto:nhoughton () sourcefire com] 
> Sent: Thursday, December 08, 2011 8:48 AM
> To: Michael Scheidell
> Cc: <snort-users () lists sourceforge net>
> Subject: Re: [Snort-users] broke snort. file_data_ports
>
>
> http://seclists.org/snort/2011/q4/246
>
> http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html
>
> http://blog.snort.org/2011/11/vrt-rule-update-for-11022011.html
>
>
> On Dec 8, 2011, at 4:46 AM, Michael Scheidell wrote:
>
> > didn't we decide YEARS AGO, not to arbitrarily add $VAR' to VRT rules?
> > thank you for breaking this and waking me up at 4am
> >
> > Dec  8 03:06:13 scanner2 snort[3457]: FATAL ERROR: /etc/snort/rules/web-client.rules(142) ***PortVar Lookup failed 
> > on '$FILE_DATA_PORTS'.
> >
> > oh, and its NOT in the distributed snort.conf file.
> > pwd
> > /usr/local/etc/snort
> > scanner2.hackertrap.net# grep FILE_DATA_PORTS *
> >
> > no, i did NOT enable, as you see, these are in web-client.rules
> >
> > file-identify.rules
> >
> >
> > yes, your block says to add this. portvar FILE_DATA_PORTS 
> > [$HTTP_PORTS,110,143]
> >
> > but, you should have left the mucked up rules in file-identify.rules, NOT put them into otherwise active rules.
> > or, find some way to have a default, in the .rules, like first line would be:
> >
> > portvar FILE_DATA_PORTS? [$HTTP_PORTS,110,143]
> >
> >
> > --
> > Michael Scheidell, CTO
> > o: 561-999-5000
> > d: 561-948-2259
> > > | SECNAP Network Security Corporation
> >      * Best Mobile Solutions Product of 2011
> >      * Best Intrusion Prevention Product
> >      * Hot Company Finalist 2011
> >      * Best Email Security Product
> >      * Certified SNORT Integrator
> >
> > This email has been scanned and certified safe by SpammerTrap(r).
> > For Information please see http://www.spammertrap.com/
> >
> > ----------------------------------------------------------------------
> > -------- Cloud Services Checklist: Pricing and Packaging Optimization 
> > This white paper is intended to serve as a reference, checklist and 
> > point of discussion for anyone considering optimizing the pricing and 
> > packaging model of a cloud services business. Read Now!
> > http://www.accelacomm.com/jaw/sfnl/114/51491232/______________________
> > _________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/
>
> ______________________________________________________________________
> This email has been scanned and certified safe by SpammerTrap(r).
> For Information please see http://www.spammertrap.com/
> ______________________________________________________________________

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/


------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of 
discussion for anyone considering optimizing the pricing and packaging model 
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!