Snort mailing list archives

Again, bBrackets around 1st varible in snort.conf

From: Randy <leganza () phillib net>
Date: Mon, 03 Sep 2001 08:26:56 +0900

OK - by request, here's my snort.conf with the net numbers edited out.

I even stuck in var INTERNAL for the 1st variable, and substituted it in for
HOME_NET in the later variables. (Needed to make it the entire class B, to get
it to cover my several class Cs.)

Just like before, this fails, because of the brackets around the value in var
INTERNAL.

"snort: FATAL ERROR: ERROR /etc/snort/exploit.rules (6) => Rule IP addr
([143.138.0.0) didn't x-late, WTF?"

No brackets around the value for var INTERNAL, it's works fine

I also ask - WTF?

Randy



#--------------------------------------------------
#   http://www.snort.org     Snort 1.8.0 Ruleset
#     Contact: snort-sigs () lists sourceforge net
#--------------------------------------------------
# NOTE:This ruleset only works for 1.8.0 and later
#--------------------------------------------------
# $Id: snort.conf,v 1.62 2001/08/12 04:31:01 roesch Exp $
#
###################################################

var INTERNAL [nnn.nnn.0.0/16]

var HOME_NET $INTERNAL

var EXTERNAL_NET [!$INTERNAL]
var EXTERNAL [!$INTERNAL]

var SMTP [nnn.nnn.nnn.nn/32,nnn.nnn.nnn.nn/32]

var HTTP_SERVERS [nnn.nnn.nnn.n/32,nnn.nnn.nnn.nn/32]

var SQL_SERVERS $INTERNAL

preprocessor frag2

preprocessor stream4: detect_scans detect_state_problems

preprocessor stream4_reassemble

preprocessor unidecode: 80 

preprocessor rpc_decode: 111 

preprocessor bo: -nobrute

preprocessor telnet_decode

#preprocessor arpspoof

preprocessor portscan: $INTERNAL 8 3 portscan.log

preprocessor portscan-ignorehosts: [nnn.nnn.nnn.nn/32,nnn.nnn.nnn.nn/32,<and so
on>] 

include /etc/snort/classification.config

#include /etc/snort/localpass.rules

include /etc/snort/exploit.rules
include /etc/snort/scan.rules
include /etc/snort/finger.rules
include /etc/snort/ftp.rules
include /etc/snort/telnet.rules
include /etc/snort/smtp.rules
include /etc/snort/rpc.rules
include /etc/snort/rservices.rules
include /etc/snort/backdoor.rules
include /etc/snort/dos.rules
include /etc/snort/ddos.rules
include /etc/snort/dns.rules
include /etc/snort/netbios.rules
include /etc/snort/web-cgi.rules
include /etc/snort/web-coldfusion.rules
include /etc/snort/web-frontpage.rules
include /etc/snort/web-iis.rules
include /etc/snort/web-misc.rules
include /etc/snort/sql.rules
include /etc/snort/x11.rules
include /etc/snort/icmp.rules
# include /etc/snort/shellcode.rules
include /etc/snort/misc.rules
# include /etc/snort/policy.rules
# include /etc/snort/info.rules
# include /etc/snort/icmp-info.rules
# include /etc/snort/virus.rules
include /etc/snort/local.rules

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Brackets around 1st varible in snort.conf Randy (Sep 01)
- Brackets around 1st varible in snort.conf Kari Suomela (Sep 02)
  - Re: Brackets around 1st varible in snort.conf John Sage (Sep 02)
- Re: Brackets around 1st varible in snort.conf Erek Adams (Sep 02)
- Re: Brackets around 1st varible in snort.conf John Sage (Sep 02)
  - Again, bBrackets around 1st varible in snort.conf Randy (Sep 02)
    - Re: Again, bBrackets around 1st varible in snort.conf Erek Adams (Sep 03)