Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Error when testing snort.conf with 2.9.2.1

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 20 Feb 2012 19:50:35 -0500
On Feb 20, 2012, at 5:26 PM, Miguel Alvarez wrote:

On Mon, Feb 20, 2012 at 6:50 PM, Miguel Alvarez <miguellvrz9 () gmail com> wrote:

Hello,

I'm testing 2.9.2.1 with more or less a stock snort.conf but when I
attempt to validate my configuration, it fails.  I use pulledpork to
build my snort.rules which consist of VRT and ET Open.  This is using
the snort.conf that was included in Friday's VRT release and other
than updating rule paths and commenting out the reputation
preprocessor stuff, I think it's pretty much stock.  This is the
error:

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
WARNING: /etc/snort/rules/snort.rules(7047) threshold (in rule) is
deprecated; use detection_filter instead.

ERROR: /etc/snort/rules/snort.rules(7068) !any is not allowed: !$SMTP_SERVERS.
Fatal Error, Quitting..

The rule in question is this, however, it is enabled on my production
systems which run 2.9.2.0 and I receive no such error:

alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound
Multiple Non-SMTP Server Emails"; flow:established; content:"mail
from|3a|"; nocase; threshold: type threshold, track by_src, count 10,
seconds 120; reference:url,doc.emergingthreats.net/2000328;
classtype:misc-activity; sid:2000328; rev:12;))

The platform for this test CentOS 6.2 64-bit.  I will attach my
snort.conf to this email and my snort compile options were
"./configure --disable-corefiles --enable-sourcefire
--sysconfdir=/etc/snort" but please let me know if there's any other
information that would be useful in trying to determine what's going
on.


Sorry to follow up on my own post but it seems the issue was that
$HOME_NET was set to 'any'.  Once that was defined, the test completed
successfully.

Thank you


Correct, Good job troubleshooting that one Miguel.

J


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: