Re: Latest rule update (Problem)

[Phil Wood <cpw () lanl gov>]

On Wed, Mar 07, 2001 at 11:11:50AM -0500, skill2die4 wrote:
> hi Phil :
>
> cat -n snort.conf | egrep "46"
>
> brings a blank line .... 

Oh well... %^)

[
  to remove the false positives, I'm going to remember to do:

  % cat -n snort.conf | awk 'NR == 46 {print}'
]

Your comments are relevant.  Snort is continually evolving.  I've been using
it since around 1.6 time.  The current rules assume variables are set
based on current .conf files.  I believe if you just use the new conf and
new rules out of the cvs distribution, and following the USAGE file, things
will work out.  However, we both know that the configuration and rules need
to be tweaked for whatever the local situation is.  And, using an old conf
file (or one provide by a "value-adder") with new rules that assume that 
some variable is set will probably fail.

For example:

# grep "^[ ]*var" snort.conf
var HOME_NET any
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var RULE_PATH ./

If one is coming from way back, jumping into the middle of the latest snort,
without first coming to grips with what these variables are and what their
values should be can cause problems.  

I'm not sure it the above is related at all to the problem you were seeing.
Just throwing it out as a possible, with the knowledge that it has definitely
been a problem for me, and others on the list.

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users