Re: Documentation!!

[SN ORT <snort_on_acid () yahoo com>]

FYI Matt Kettler
--- Matt Kettler <mkettler () evi-inc com> wrote:
> At 12:21 PM 2/11/2004, SN ORT wrote:
> > Would it be possible to make the documents with
> more
> > complete examples.
>
> Possible, yes... are there any volunteers who have
> the spare time available 
> to do so?

Yes, you being one of them. Seriously though, all
readme's are written in the same cryptic format and
one could use the SAME AMOUNT OF WORDS to create a
more explanatory document.

> (remember, this is open source.. the best way to get
> things done is to do 
> them.)
>
> As for an example of how to use HTTP_INSPECT, why
> don't you just look in 
> the stock snort.conf? There's an example right
> there.
>
>
> > I used the config options, trying to figure out if
> > these all go on the same line or different, trying
> to
> > figure out by trial and error if I can use a
> variable
> > for the "servers" IP address, such as
> $HTTP_SERVERS!!
>
> Of course you can use a variable... snort.conf
> "variables" aren't really 
> variables at all.. they are text substitution
> macros. You can use/abuse 
> them for almost anything. (If you're a C programmer,
> think of var as if it 
> were #define)

No you can't use the var nor do you use common CIDR 
on the http_inspect line. I think I've tried that
newbie stuff already.

> Heck, you could make an entire rule into a
> "variable" if you wanted to.
>
> # theoretically, this is legal.
> var $ALERT_ON_EVERYTHING        alert ip any any ->
> any any (msg:"blah";)
>
> $ALERT_ON_EVERYTHING

Imagine that.

> > (so now how do I specify more than one?),
>
> The same way you do everywhere else.. AFAIK all of
> snort accepts the same 
> IP address format. CIDR masks, and bracketed comma
> delimited lists.

Like i said that don't work.

> There's nothing magic about "variables"... you can
> use bracketed lists 
> anywhere in snort where you specify an IP address.

not in the decode lines you can't. If YOU looked in
the snort.conf example, you wouldv'e noticed there are
no braketed lists to specify the IP address or range
when using the "preprocessor http_inspect_server:
server 1.1.1.1 \" format.

> > found out
> > for myself I have to use the "\" to specify more
> > options, and then find out there has to be a space
> > between the last character and the "\", and then
> > finally find out that I can't even use all of the
> > options per the error below.
>
> If you'd have looked at the example that is already
> in snort 2.1's 
> snort.conf you'd have known about the \ thing.

How do you think I found that out? Only after
searching in OTHER FILES. NOT the readme file
associated with the http_inspect file.

> Technically, the \ is used to cause more than one
> line to be treated as a 
> single line.. basic unix 101.

OK, call me a dummy.

> Thus, you don't need a \ per option, you need it if
> you go to a new line.. 
> again look at snort.conf

Great. Thanks. 

Cheese!

Marc


__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users