[Snort-users] Again, bBrackets around 1st varible in snort.conf

Randy leganza at ...3311...
Sun Sep 2 16:28:01 EDT 2001


OK - by request, here's my snort.conf with the net numbers edited out.

I even stuck in var INTERNAL for the 1st variable, and substituted it in for
HOME_NET in the later variables. (Needed to make it the entire class B, to get
it to cover my several class Cs.)

Just like before, this fails, because of the brackets around the value in var
INTERNAL.

"snort: FATAL ERROR: ERROR /etc/snort/exploit.rules (6) => Rule IP addr
([143.138.0.0) didn't x-late, WTF?"

No brackets around the value for var INTERNAL, it's works fine

I also ask - WTF?

Randy



#--------------------------------------------------
#   http://www.snort.org     Snort 1.8.0 Ruleset
#     Contact: snort-sigs at lists.sourceforge.net
#--------------------------------------------------
# NOTE:This ruleset only works for 1.8.0 and later
#--------------------------------------------------
# $Id: snort.conf,v 1.62 2001/08/12 04:31:01 roesch Exp $
#
###################################################

var INTERNAL [nnn.nnn.0.0/16]

var HOME_NET $INTERNAL

var EXTERNAL_NET [!$INTERNAL]
var EXTERNAL [!$INTERNAL]

var SMTP [nnn.nnn.nnn.nn/32,nnn.nnn.nnn.nn/32]

var HTTP_SERVERS [nnn.nnn.nnn.n/32,nnn.nnn.nnn.nn/32]

var SQL_SERVERS $INTERNAL

preprocessor frag2

preprocessor stream4: detect_scans detect_state_problems

preprocessor stream4_reassemble

preprocessor unidecode: 80 

preprocessor rpc_decode: 111 

preprocessor bo: -nobrute

preprocessor telnet_decode

#preprocessor arpspoof

preprocessor portscan: $INTERNAL 8 3 portscan.log

preprocessor portscan-ignorehosts: [nnn.nnn.nnn.nn/32,nnn.nnn.nnn.nn/32,<and so
on>] 

include /etc/snort/classification.config

#include /etc/snort/localpass.rules

include /etc/snort/exploit.rules
include /etc/snort/scan.rules
include /etc/snort/finger.rules
include /etc/snort/ftp.rules
include /etc/snort/telnet.rules
include /etc/snort/smtp.rules
include /etc/snort/rpc.rules
include /etc/snort/rservices.rules
include /etc/snort/backdoor.rules
include /etc/snort/dos.rules
include /etc/snort/ddos.rules
include /etc/snort/dns.rules
include /etc/snort/netbios.rules
include /etc/snort/web-cgi.rules
include /etc/snort/web-coldfusion.rules
include /etc/snort/web-frontpage.rules
include /etc/snort/web-iis.rules
include /etc/snort/web-misc.rules
include /etc/snort/sql.rules
include /etc/snort/x11.rules
include /etc/snort/icmp.rules
# include /etc/snort/shellcode.rules
include /etc/snort/misc.rules
# include /etc/snort/policy.rules
# include /etc/snort/info.rules
# include /etc/snort/icmp-info.rules
# include /etc/snort/virus.rules
include /etc/snort/local.rules




More information about the Snort-users mailing list