Re: Network Variables

["Seth Dunn" <seth () d2ms com>]

I tried using quotes,
Starting with " #
Starting and ending with "  "
Tried starting with ## and ending with ##

If I have a blank line, with the rule on the next line,
Tried calling the file with the -F switch, and not through snort.conf
file
All come back with the same error.

Very odd, not being able to comment out a line, when the snort.conf file
is full of commented lines.

 

Nothing seems to work with the bpf file, and it seems I am stuck to
having just one rule in the file.  

 

From: James Lay [mailto:jlay () slave-tothe-box net] 
Sent: Thursday, May 02, 2013 8:10 AM
To: Snort
Subject: Re: [Snort-users] Network Variables

 

Quotation marks may be needed...try appending via command line as well.

 

James

 

On May 2, 2013, at 5:50 AM, Seth Dunn <seth () d2ms com> wrote:





What is DAQ?  I have seen that, but have no idea what that is.

As far as my bpf file goes, if it is like this::

 

#not net 10.10.0.0/24 and not net 10.30.0.0/24

not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not net
10.30.0.0/24 and dst host 10.75.45.1 && dst port 80


It will fail with::

Reading filter from bpf file: D:\Snort\etc\ignore2.bpf

ERROR: short read D:\Snort\etc\ignore2.bpf (169 != 170)

Fatal Error, Quitting..

 

If I remove the commented line, then snort starts fine.
If I try to have multiple lines in the file, (all being rules, no
comments) the it will fail with a similar error as above.
I have never seen a DAQ error.

 

From: Russ Combs [mailto:rcombs () sourcefire com] 
Sent: Thursday, May 02, 2013 12:08 AM
To: waldo kitty
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Network Variables

 

Snort does allow comments in the BPF file, starting with # to end of
line.  If there is a syntax error, you should see something like:

 

ERROR: Can't set DAQ BPF filter to '

...      

' (pcap_daq_set_filter: pcap_compile: syntax error)!

Fatal Error, Quitting..

 

What DAQ are you using?  Please send the BPF file that fails and the
error that you get.

 

On Wed, May 1, 2013 at 10:07 PM, waldo kitty <wkitty42 () windstream net
<mailto:wkitty42 () windstream net> > wrote:

On 5/1/2013 13:09, Seth Dunn wrote:
> But any ideas why snort fails to start if I add in a '#' to comment a
> line??

i have no clue but it sounds like a coding error not allowing comment
lines i
the BPF file... only joel or one of the snort dev guys can tell us
that... or
possibly a code diver who can root around in the snort code ;)


--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------
------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1 <http://p.sf.net/sfu/appdyn_d2d_ap1> 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
<mailto:Snort-users () lists sourceforge net> 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users> 
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> 

Please visit http://blog.snort.org <http://blog.snort.org>  to stay
current on all the latest Snort news!

 

------------------------------------------------------------------------
------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1______________________________________
_________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

 

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!