Snort mailing list archives
Re: broke snort. file_data_ports
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Thu, 8 Dec 2011 08:59:42 -0500
The variable is in the snort.conf that ships with the VRT tar ball. It doesn't matter which rule file the variable is used in. The rule files are there for sorting convenience, if you use tools like Pulled Pork all the rules you use will be placed in one file anyway. Quoting the post... Action items for you: #1. You'll need to add the above variable to your snort.conf, use the snort.conf in the VRT tarball, or download the new snort.conf . #2. If you are using the Sourcefire product, or PulledPork, the change should be minimal. The Sourcefire product and PulledPork perform flowbit auto-enabling and resolution. If you are using another tool to mange your installation, you will need to pay attention to this rule category. On Dec 8, 2011, at 8:49 AM, Michael Scheidell wrote:
http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html and, just where does it say these will be in anywhere but file-identify.rules? -----Original Message----- From: Nigel Houghton [mailto:nhoughton () sourcefire com] Sent: Thursday, December 08, 2011 8:48 AM To: Michael Scheidell Cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] broke snort. file_data_ports http://seclists.org/snort/2011/q4/246 http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html http://blog.snort.org/2011/11/vrt-rule-update-for-11022011.html On Dec 8, 2011, at 4:46 AM, Michael Scheidell wrote:didn't we decide YEARS AGO, not to arbitrarily add $VAR' to VRT rules? thank you for breaking this and waking me up at 4am Dec 8 03:06:13 scanner2 snort[3457]: FATAL ERROR: /etc/snort/rules/web-client.rules(142) ***PortVar Lookup failed on '$FILE_DATA_PORTS'. oh, and its NOT in the distributed snort.conf file. pwd /usr/local/etc/snort scanner2.hackertrap.net# grep FILE_DATA_PORTS * no, i did NOT enable, as you see, these are in web-client.rules file-identify.rules yes, your block says to add this. portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] but, you should have left the mucked up rules in file-identify.rules, NOT put them into otherwise active rules. or, find some way to have a default, in the .rules, like first line would be: portvar FILE_DATA_PORTS? [$HTTP_PORTS,110,143] -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259| SECNAP Network Security Corporation* Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ ---------------------------------------------------------------------- -------- Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/______________________ _________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/ ______________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ ______________________________________________________________________
-- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/ ------------------------------------------------------------------------------ Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- broke snort. file_data_ports Michael Scheidell (Dec 08)
- Re: broke snort. file_data_ports Nigel Houghton (Dec 08)
- Re: broke snort. file_data_ports Michael Scheidell (Dec 08)
- Re: broke snort. file_data_ports Nigel Houghton (Dec 08)
- Re: broke snort. file_data_ports Michael Scheidell (Dec 08)
- Re: broke snort. file_data_ports Nigel Houghton (Dec 08)