[Snort-users] The System works !! one question please !

Juan Fernandez Juan.Fernandez at ...2210...
Mon Sep 20 15:33:00 EDT 2004


The problem if I use cidr is that in the range there will be ip's that they
don't have http servers on tham .

What will be the result of that ?

I am trying to reduce false positives...

I received another replay from Alex.Butcher he is offering the folowing :

It looks like Snort's configuration file parser has a maximum line length of
1024 characters (defined by STD_BUF in src/snort.h). To (try to) change
this, you'll need to modify that definition in snort.h and rebuild.

Alternatively, a workaround would be to define two or more variables, and
duplicate the signatures that use HTTP_SERVERS.


I am afraid to compile again... after so much work it took me to start it
working...

What u soggest ?

Thanks !!

I am reading the book of jack koziol.

-----Original Message-----
From: Harper, Patrick [mailto:patrick.harper at ...11593...] 
Sent: Monday, September 20, 2004 4:32 PM
To: Juan Fernandez; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] The System works !! one question please !

Can you use cidr?  I am not sure if there is a limit or not but would
imagine there is. 

 
-----Original Message-----
From: Juan Fernandez [mailto:Juan.Fernandez at ...2210...] 
Sent: Monday, September 20, 2004 5:08 AM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] The System works !! one question please !

Hi,

 

 

I tried to insert all of my http servers in HTTP_SERVERS in snort.conf
(I have a 99 servers).

 

Before modifying the https servers it worked.

 

DO I have a limitation of ip to enter ( I cant find any syntax error).

 

After I insert those ip's  and started snort I received the following
error in /var/log/messeges: 

 

Sep 20 12:20:12 sensjrlan snort: FATAL ERROR: /etc/snort/snort.conf(66)
=> Unknown rule type:
70.171.150,208.170.171.152,208.170.171.154,208.170.171.157,208.170.171.1
60,208.170.171.166,208.170.171.171,208.170.171.188,208.170.171.199,208.1
70.171.202,208.170.171.210,208.170.171.224,212.127.71.22,212.127.71.24,2
12.127.71.20,212.127.71.21,212.127.71.22,212.127.71.24,212.127.71.44,212
.127.71.45,212.127.71.52,212.127.71.81,212.127.71.99,212.127.71.100,212.
127.71.102,212.127.71.111,212.127.71.112,212.127.71.112,212.127.71.117,2
12.127.71.119,212.127.71.140,212.127.71.212]

~

This is the relevant section in snort.conf ( line 65 starts in "var
HTTP.." and line 66 in the empty line after all the ip list):

 

 

 

 

var HTTP_SERVERS
[212.127.72.16,212.127.72.26,212.127.72.27,212.127.72.42,212.127.72.48,2
12.127.72.49,212.127.72.55,212.127.72.55,212.127.72.57,212.127.72.58,212
.127.72.76,212.127.72.92,212.127.72.98,212.127.72.100,212.127.72.107,212
.127.72.108,212.127.72.111,212.127.72.112,212.127.72.112,212.127.72.122,
212.127.72.122,212.127.72.124,212.127.72.142,212.127.72.152,212.127.72.2
10,212.127.70.5,212.127.70.17,212.127.70.21,208.170.171.7,208.170.171.12
,208.170.171.12,208.170.171.15,208.170.171.17,208.170.171.22,208.170.171
.24,208.170.171.27,208.170.171.28,208.170.171.21,208.170.171.22,208.170.
171.26,208.170.171.27,208.170.171.42,208.170.171.46,208.170.171.48,208.1
70.171.49,208.170.171.57,208.170.171.61,208.170.171.65,208.170.171.66,20
8.170.171.72,208.170.171.77,208.170.171.78,208.170.171.82,208.170.171.95
,208.170.171.101,208.170.171.105,208.170.171.110,208.170.171.111,208.170
.171.112,208.170.171.115,208.170.171.119,208.170.171.120,208.170.171.122
,208.170.171.121,208.170.171.126,208.170.171.127,208.170.171.142,208.170
.171.150,208.170.171.152,208.170.171.154,208.170.171.157,208.170.171.160
,208.170.171.166,208.170.171.171,208.170.171.188,208.170.171.199,208.170
.171.202,208.170.171.210,208.170.171.224,212.127.71.22,212.127.71.24,212
.127.71.20,212.127.71.21,212.127.71.22,212.127.71.24,212.127.71.44,212.1
27.71.45,212.127.71.52,212.127.71.81,212.127.71.99,212.127.71.100,212.12
7.71.102,212.127.71.111,212.127.71.112,212.127.71.112,212.127.71.117,212
.127.71.119,212.127.71.140,212.127.71.212]

 

thanks !!

~





Disclaimer:
This electronic message, including any attachments, is confidential and
intended solely for use of the intended recipient(s). This message may
contain information that is privileged or otherwise protected from
disclosure by applicable law. Any unauthorized disclosure, dissemination,
use or reproduction is strictly prohibited. If you have received this
message in error, please delete it and notify the sender immediately. 






More information about the Snort-users mailing list