Snort mailing list archives
Re: Error when testing snort.conf with 2.9.2.1
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 20 Feb 2012 19:50:35 -0500
On Feb 20, 2012, at 5:26 PM, Miguel Alvarez wrote:
On Mon, Feb 20, 2012 at 6:50 PM, Miguel Alvarez <miguellvrz9 () gmail com> wrote:Hello, I'm testing 2.9.2.1 with more or less a stock snort.conf but when I attempt to validate my configuration, it fails. I use pulledpork to build my snort.rules which consist of VRT and ET Open. This is using the snort.conf that was included in Friday's VRT release and other than updating rule paths and commenting out the reputation preprocessor stuff, I think it's pretty much stock. This is the error: +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... WARNING: /etc/snort/rules/snort.rules(7047) threshold (in rule) is deprecated; use detection_filter instead. ERROR: /etc/snort/rules/snort.rules(7068) !any is not allowed: !$SMTP_SERVERS. Fatal Error, Quitting.. The rule in question is this, however, it is enabled on my production systems which run 2.9.2.0 and I receive no such error: alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; reference:url,doc.emergingthreats.net/2000328; classtype:misc-activity; sid:2000328; rev:12;)) The platform for this test CentOS 6.2 64-bit. I will attach my snort.conf to this email and my snort compile options were "./configure --disable-corefiles --enable-sourcefire --sysconfdir=/etc/snort" but please let me know if there's any other information that would be useful in trying to determine what's going on.Sorry to follow up on my own post but it seems the issue was that $HOME_NET was set to 'any'. Once that was defined, the test completed successfully. Thank you
Correct, Good job troubleshooting that one Miguel. J ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Error when testing snort.conf with 2.9.2.1 Miguel Alvarez (Feb 20)
- Re: Error when testing snort.conf with 2.9.2.1 Miguel Alvarez (Feb 20)
- Re: Error when testing snort.conf with 2.9.2.1 Joel Esler (Feb 20)
- Re: Error when testing snort.conf with 2.9.2.1 Miguel Alvarez (Feb 20)