Snort mailing list archives
Re: PortVar lookup
From: "Kun, Mike" <mkun () akamai com>
Date: Thu, 1 Jul 2010 14:58:59 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks Parker. I missed that the portvar variables weren't defined in the new version - -Mike - -----Original Message----- From: Crook, Parker [mailto:Parker_Crook () reyrey com] Sent: Thursday, July 01, 2010 2:40 PM To: Kun, Mike; snort-users () lists sourceforge net Subject: RE: PortVar lookup Mike, I know when I threw your rule into my lab's local.rules file, I had to go and define $SMTP_PORTS, as this is no longer defined by default in snort.conf. Other than that, peachy. - -Parker - -----Original Message----- From: Kun, Mike [mailto:mkun () akamai com] Sent: Thursday, July 01, 2010 2:11 PM To: snort-users () lists sourceforge net Subject: [Snort-users] PortVar lookup - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just added a new local rule to look for outbound SMTP traffic exclusive of SMTP servers, but when I try to initialize Snort I get " FATAL ERROR: /etc/snort/rules/local.rules(1) ***Src PortVar Lookup failed on ''." The rule is alert tcp !$SMTP_SERVERS any -> $EXTERNAL_NET $SMTP_PORTS (msg:"LOCAL: Suspicious SMTP Traffic"; flow:established; content:"EHLO"; offset:0; classtype:misc-activity; sid:1000001;) This is working fine on an older version of Snort, so I assume I have to configure something... - - -Mike - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with OutlookGnuPG v1.2.3667 iQEcBAEBAgAGBQJMLNo7AAoJEMhWEt1OJPG/xk4IAMSRJg0z3jbleftWP589tB8f wSR5yWJiH5suUJRp4blMbUT5T2vnwbL7eynn4brPcZF+yr9qlfXoBsHOEtev4SwT e6x6FDVJE33sAXp/E9blzTSFBLiQ7G92oEPkw8Waa9VACAWBF4PPb8Kt1efJO7zD yCO5UwT4UVK+wuxBASZUtXiIAyw0ZqDPibhkN2n+GFWjpkVs2GcaezCd9fYIej1m vBOMdH3Uu/+sMBucH7O+Sf3BHiGUc73Xs+LAe1DwxAvDcHhBFmw8AzPnCgrIaLo8 49B9gdhFiYLhaUKGBCDWz8QbgqoNR9LFMYRVzfCQJKeNngCgvhqtm7nVEPi2IZk= =FshO - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------ ------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with OutlookGnuPG v1.2.3667 iQEcBAEBAgAGBQJMLOVzAAoJEMhWEt1OJPG/ogQH/0ZCbr+ECTMcRSvlOUtNTdSa odV6T1tXoAtRFMlkJAIbmhAKjUyr06WoMD0aPTNa9DGbg5HyQp0keA4dNoUUWhS9 +lS9mfbew4KUB4hzNZNj96W/IA1iansKMvUSUF5A35zQ6Oyhp1oQdPkGXVm+yb8U U14ybYHTwD7avvWMqFMK3Eh8jPGZCKsbDR0rNQwOn3UKUjpzw8CnSU+icIT29upa xR9lcDRnyrA0jTOCeEMx0t0vZO9TDfuijNnZoz+6QFG80EnbO1Fh6/mvPbkb9fpf Cb3OrXwidchqpqZyho8RDNfMEEU8OBH2ngGvHlJbg2YYt6Ah7uaiRDcPOFPgsXM= =akoE -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PortVar lookup Kun, Mike (Jul 01)
- Re: PortVar lookup Crook, Parker (Jul 01)
- Re: PortVar lookup Kun, Mike (Jul 01)
- Re: PortVar lookup Crook, Parker (Jul 01)