[Snort-users] broke snort. file_data_ports

Michael Scheidell michael.scheidell at ...8144...
Thu Dec 8 04:46:02 EST 2011


didn't we decide YEARS AGO, not to arbitrarily add $VAR' to VRT rules?
thank you for breaking this and waking me up at 4am

Dec  8 03:06:13 scanner2 snort[3457]: FATAL ERROR: 
/etc/snort/rules/web-client.rules(142) ***PortVar Lookup failed on 
'$FILE_DATA_PORTS'.

oh, and its NOT in the distributed snort.conf file.
pwd
/usr/local/etc/snort
scanner2.hackertrap.net# grep FILE_DATA_PORTS *

no, i did NOT enable, as you see, these are in web-client.rules

|file-identify.rules|


yes, your block says to add this. p|ortvar FILE_DATA_PORTS 
[$HTTP_PORTS,110,143]

but, you should have left the mucked up rules in file-identify.rules, 
NOT put them into otherwise active rules.
or, find some way to have a default, in the .rules, like first line 
would be:

portvar FILE_DATA_PORTS? ||[$HTTP_PORTS,110,143]

||
|
-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
 >*| *SECNAP Network Security Corporation

    * Best Mobile Solutions Product of 2011
    * Best Intrusion Prevention Product
    * Hot Company Finalist 2011
    * Best Email Security Product
    * Certified SNORT Integrator


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com/
______________________________________________________________________  
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111208/ad0f2455/attachment.html>


More information about the Snort-users mailing list