[Snort-users] Snort newbie

Joe McAlerney joey at ...47...
Thu May 10 12:35:47 EDT 2001


Hello Matthew,

You need to define the SMTP variable used by the rule at line 20 of
exploit.rules.  You may want to set it to "any".

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

"Bunter, Matthew" wrote:
> 
> Gurus,
> 
> Apologies for asking basics but I couldn't find these answers on snort.org,
> the FAQs or any documentation that I have.
> 
> Very basic snort.conf file, smtp, web, dns all commented out (I'm on a small
> testing segment) :
> 
> var HOME_NET $eth_ADDRESS
> var EXTERNAL_NET any
> preprocessor defrag
> preprocessor http_decode: 80 8080
> preprocessor portscan : $HOME_NET 4 3 /var/log/snort/portscan.log
> output alert_syslog: LOG_AUTH LOG_ALERT
> include exploit.rules
> include etc (from latest snort rules on snort.org)
> 
> Snort is version 1.7 running on Suse 7.1 with 2.4 kernel
> The rules files are in the same directory as the snort executable.
> 
> I get the following :
> # snort -c /etc/Snort/snort.conf
> Initializing Snort
> Initializing Network Interface eth0
> Kernel filter, protocol ALL, raw packet socket
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializing Output Plug-ins!
> 
> +++++++++++++++++++++++
> Initializing rule chains...
> [!] ERROR exploit.rules(20) => Bad port number: "msg:"EXPLOIT"
> #
> 
> All I basically want is to get snort running to produce text files under
> var/log/snort which will then be put through snortsnarf for browsing. But I
> can't even get it to start - any help would be greatly appreciated.
> 
> BTW I want to convince management how easy it is to set up Snort so help me
> avoid the 'egg-on-face' scenario please !!!
> 
> Regards,
> 
> Matt Bunter
> 
> **********************************************************************
> This message may contain information which is confidential or privileged.
> If you are not the intended recipient, please advise the sender immediately
> by reply e-mail and delete this message and any attachments
> without retaining a copy.
> 
> **********************************************************************
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list