[Snort-users] Does snort.conf have conflicting comments?

Phil Wood cpw at ...440...
Sun Nov 11 18:57:02 EST 2001


On Sun, Nov 11, 2001 at 11:19:51AM -0800, Erek Adams wrote:
> 
> In looking at the current (CVS) snort.conf, I noticed something.
> 
> Lines 37-42 discuss how to set the HOME_NET variable.  They mention how to
> place multiple IP's into a list.
> 
>     37  # You can specify lists of IP addresses for HOME_NET
>     38  # by separating the IPs with commas like this:
>     39  #
>     40  # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
>     41  #
>     42  # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> 
> Now, looking down a bit....
> 
>    227  # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
>    228  # specific networks or hosts to reduce false alerts. It is typical
>    229  # to see many false alerts from DNS servers so you may want to
>    230  # add your DNS servers here. You can all multiple hosts/networks
>    231  # in a whitespace-delimited list.
>    232  #
>    233  preprocessor portscan-ignorehosts: $DNS_SERVERS
> 
> It refers to a 'whitespace delimited list'.
> 
> Is this right, wrong, or a feature of using a variable in the ignorehosts
> line?  Or do I just need to get some coffee?  :)

Candy is dandy, but liquor quicker.  It would be nice if ip lists in snort were
consistant.  They are not.  I been there.  Done that.  Currently, I'm in
limbo doing other things.  It would be nice to make a pass on the syntax,
enforce new syntax for plugins, plugouts, and other configuration what's-its.

The reason I'm pick'n on this bone is that I just got my first bug report
on my "vim" syntax file for snort (it's been released with a new release of
vim).  So, I jumped into my code and started "fixin" things.  Every damn
preprocessor and output plugin has a different way of specifying the same
sets of things: ip lists, port lists, var=value, etc.  I need some "coffee".

> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list