[Snort-users] broke snort. file_data_ports

Michael Scheidell michael.scheidell at ...8144...
Thu Dec 8 08:49:45 EST 2011


http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html

and, just where does it say these will be in anywhere but file-identify.rules?



-----Original Message-----
From: Nigel Houghton [mailto:nhoughton at ...1935...] 
Sent: Thursday, December 08, 2011 8:48 AM
To: Michael Scheidell
Cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] broke snort. file_data_ports


 http://seclists.org/snort/2011/q4/246

 http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html

 http://blog.snort.org/2011/11/vrt-rule-update-for-11022011.html


On Dec 8, 2011, at 4:46 AM, Michael Scheidell wrote:

> didn't we decide YEARS AGO, not to arbitrarily add $VAR' to VRT rules?
> thank you for breaking this and waking me up at 4am
> 
> Dec  8 03:06:13 scanner2 snort[3457]: FATAL ERROR: /etc/snort/rules/web-client.rules(142) ***PortVar Lookup failed on '$FILE_DATA_PORTS'.
> 
> oh, and its NOT in the distributed snort.conf file.
> pwd
> /usr/local/etc/snort
> scanner2.hackertrap.net# grep FILE_DATA_PORTS *
> 
> no, i did NOT enable, as you see, these are in web-client.rules
>  
> file-identify.rules
> 
> 
> yes, your block says to add this. portvar FILE_DATA_PORTS 
> [$HTTP_PORTS,110,143]
> 
> but, you should have left the mucked up rules in file-identify.rules, NOT put them into otherwise active rules.
> or, find some way to have a default, in the .rules, like first line would be:
> 
> portvar FILE_DATA_PORTS? [$HTTP_PORTS,110,143]
> 
> 
> --
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> > | SECNAP Network Security Corporation
> 	* Best Mobile Solutions Product of 2011
> 	* Best Intrusion Prevention Product
> 	* Hot Company Finalist 2011
> 	* Best Email Security Product
> 	* Certified SNORT Integrator
> 
> This email has been scanned and certified safe by SpammerTrap(r).
> For Information please see http://www.spammertrap.com/
> 
> ----------------------------------------------------------------------
> -------- Cloud Services Checklist: Pricing and Packaging Optimization 
> This white paper is intended to serve as a reference, checklist and 
> point of discussion for anyone considering optimizing the pricing and 
> packaging model of a cloud services business. Read Now!
> http://www.accelacomm.com/jaw/sfnl/114/51491232/______________________
> _________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________





More information about the Snort-users mailing list