Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Documentation!!

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 11 Feb 2004 15:30:31 -0500
At 12:21 PM 2/11/2004, SN ORT wrote:

Would it be possible to make the documents with more
complete examples.
Possible, yes... are there any volunteers who have the spare time available to do so?
(remember, this is open source.. the best way to get things done is to do them.)
As for an example of how to use HTTP_INSPECT, why don't you just look in the stock snort.conf? There's an example right there. 



I used the config options, trying to figure out if
these all go on the same line or different, trying to
figure out by trial and error if I can use a variable
for the "servers" IP address, such as $HTTP_SERVERS!!
Of course you can use a variable... snort.conf "variables" aren't really variables at all.. they are text substitution macros. You can use/abuse them for almost anything. (If you're a C programmer, think of var as if it were #define) 

Heck, you could make an entire rule into a "variable" if you wanted to.

# theoretically, this is legal.
var $ALERT_ON_EVERYTHING        alert ip any any -> any any (msg:"blah";)

$ALERT_ON_EVERYTHING


(so now how do I specify more than one?),
The same way you do everywhere else.. AFAIK all of snort accepts the same IP address format. CIDR masks, and bracketed comma delimited lists.
There's nothing magic about "variables"... you can use bracketed lists anywhere in snort where you specify an IP address. 


found out
for myself I have to use the "\" to specify more
options, and then find out there has to be a space
between the last character and the "\", and then
finally find out that I can't even use all of the
options per the error below.
If you'd have looked at the example that is already in snort 2.1's snort.conf you'd have known about the \ thing.
Technically, the \ is used to cause more than one line to be treated as a single line.. basic unix 101.
Thus, you don't need a \ per option, you need it if you go to a new line.. again look at snort.conf 








-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: