[Snort-users] broke snort. file_data_ports
michael.scheidell at ...8144...
Thu Dec 8 08:49:45 EST 2011
and, just where does it say these will be in anywhere but file-identify.rules?
From: Nigel Houghton [mailto:nhoughton at ...1935...]
Sent: Thursday, December 08, 2011 8:48 AM
To: Michael Scheidell
Cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] broke snort. file_data_ports
On Dec 8, 2011, at 4:46 AM, Michael Scheidell wrote:
> didn't we decide YEARS AGO, not to arbitrarily add $VAR' to VRT rules?
> thank you for breaking this and waking me up at 4am
> Dec 8 03:06:13 scanner2 snort: FATAL ERROR: /etc/snort/rules/web-client.rules(142) ***PortVar Lookup failed on '$FILE_DATA_PORTS'.
> oh, and its NOT in the distributed snort.conf file.
> scanner2.hackertrap.net# grep FILE_DATA_PORTS *
> no, i did NOT enable, as you see, these are in web-client.rules
> yes, your block says to add this. portvar FILE_DATA_PORTS
> but, you should have left the mucked up rules in file-identify.rules, NOT put them into otherwise active rules.
> or, find some way to have a default, in the .rules, like first line would be:
> portvar FILE_DATA_PORTS? [$HTTP_PORTS,110,143]
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> > | SECNAP Network Security Corporation
> * Best Mobile Solutions Product of 2011
> * Best Intrusion Prevention Product
> * Hot Company Finalist 2011
> * Best Email Security Product
> * Certified SNORT Integrator
> This email has been scanned and certified safe by SpammerTrap(r).
> For Information please see http://www.spammertrap.com/
> -------- Cloud Services Checklist: Pricing and Packaging Optimization
> This white paper is intended to serve as a reference, checklist and
> point of discussion for anyone considering optimizing the pricing and
> packaging model of a cloud services business. Read Now!
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
More information about the Snort-users