Snort mailing list archives
Re: Snort 2.9.1.1 sfportscan syntax changed?
From: Cees <celzinga () gmail com>
Date: Thu, 20 Oct 2011 11:16:49 +0200
Joel, thanks for the reply. I'll update my config. On Wed, Oct 19, 2011 at 7:03 PM, Joel Esler <jesler () sourcefire com> wrote:
This should have never worked, being that as you can't use variables in a preprocessor. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Oct 19, 2011, at 7:19 AM, Cees wrote:Hello list, I'm trying to upgrade my Snort 2.8.6 to 2.9.1.1. I'm running into some problems with the sfportscan preprocessor. There seems to be an (undocumented?) change that invalidates the old syntax. It's best described with an example. Take the following Snort.conf: --- var HOME_NET [10.0.0.0/8] var TRUSTED_A [10.0.0.1/32] var TRUSTED_B [10.1.2.3/32] preprocessor sfportscan: \ watch_ip { $HOME_NET } \ ignore_scanners { $TRUSTED_A,$TRUSTED_B } --- Now if we check the configuration with Snort 2.9.1.1: ERROR: snort.conf(7) => Invalid ip_list to 'ignore_scanners' option. This used to work fine in 2.8.6.1. Specifying a single variable as ignore_scanners does work. Am I missing something? Thanks in advance, Cees ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Ciosco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.9.1.1 sfportscan syntax changed? Cees (Oct 19)
- Re: Snort 2.9.1.1 sfportscan syntax changed? Joel Esler (Oct 19)
- Re: Snort 2.9.1.1 sfportscan syntax changed? Cees (Oct 20)
- Re: Snort 2.9.1.1 sfportscan syntax changed? Joel Esler (Oct 19)