[Snort-users] Latest rule update (Problem)

Phil Wood cpw at ...440...
Wed Mar 6 08:46:09 EST 2002


On Wed, Mar 07, 2001 at 11:11:50AM -0500, skill2die4 wrote:
> hi Phil :
> 
> cat -n snort.conf | egrep "46"
> 
> brings a blank line .... 
> 

Oh well... %^)

[
  to remove the false positives, I'm going to remember to do:

  % cat -n snort.conf | awk 'NR == 46 {print}'
]

Your comments are relevant.  Snort is continually evolving.  I've been using
it since around 1.6 time.  The current rules assume variables are set
based on current .conf files.  I believe if you just use the new conf and
new rules out of the cvs distribution, and following the USAGE file, things
will work out.  However, we both know that the configuration and rules need
to be tweaked for whatever the local situation is.  And, using an old conf
file (or one provide by a "value-adder") with new rules that assume that 
some variable is set will probably fail.

For example:

# grep "^[ ]*var" snort.conf
var HOME_NET any
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var RULE_PATH ./

If one is coming from way back, jumping into the middle of the latest snort,
without first coming to grips with what these variables are and what their
values should be can cause problems.  

I'm not sure it the above is related at all to the problem you were seeing.
Just throwing it out as a possible, with the knowledge that it has definitely
been a problem for me, and others on the list.

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list