[Snort-users] filters

Drew Smith drew at ...11193...
Wed Feb 11 20:29:01 EST 2004


On Wed, 2004-02-11 at 17:15, Matt Kettler wrote:
> If you RTFD a bit closer, they suggest that you use 80:8080 not [80:8080].

A bit heavy handed, no? I think I was suggesting that I was not at all
clear on exactly what either the docs or example snort.conf had to say
about it. Since clarified.

> Does it work better without the []?

How about it will only work without.  The trouble I was running into was
the mixed use of square brackets for differenet assignments. Hence, my
confusion. Ain't no pin-heads in my family. We kill them at birth.

> snort.conf: Port lists must either be continuous [eg 80:8080], or a single 
> port [eg 80].

As a matter of reference for the other's who may stumble onto the issue,
I still as yet have gotten it to work "without" spaces, contrary to what
both RTFD'ing and RTF'ing the example conf file imply.

> In the two examples above, the [] are part of the text, not the suggested 
> config. 

Nor are the "required" spaces.  It's a simple case of needing "this
work's" and "this won't" type of examples. Not that big of a deal
really. 

Really, if it's a simple matter of a little bit better documenting of a
config file versus sending people scouring through god only knows how
many doc files (and in many cases posting here rather than RTFD), why
not do it in the conf file in the first place and save the extra work on
everybody concerned? Myself, I was totally stumped. What I was reading
was taken in context with other items I had already dealt with in the
file. It threw me, and only for a lack of a couple comments.

Trust me, when I first posted about this, the way I was reading things I
had a legitimate beef (IMHO). That said, I'm not beyond taking a couple
of minutes to write up and submit a patch if I think it will help
anybody else in the end. 

Drew
-- 
The only stupid question is the one not asked.





More information about the Snort-users mailing list