[Snort-users] broke snort. file_data_ports

Nigel Houghton nhoughton at ...1935...
Thu Dec 8 08:59:42 EST 2011


The variable is in the snort.conf that ships with the VRT tar ball. It doesn't matter which rule file the variable is used in. The rule files are there for sorting convenience, if you use tools like Pulled Pork all the rules you use will be placed in one file anyway.

Quoting the post...

Action items for you:

#1. You'll need to add the above variable to your snort.conf, use the snort.conf in the VRT tarball, or download the new snort.conf .

#2. If you are using the Sourcefire product, or PulledPork, the change should be minimal. The Sourcefire product and PulledPork perform flowbit auto-enabling and resolution. If you are using another tool to mange your installation, you will need to pay attention to this rule category.

On Dec 8, 2011, at 8:49 AM, Michael Scheidell wrote:

> http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html
> 
> and, just where does it say these will be in anywhere but file-identify.rules?
> 
> 
> 
> -----Original Message-----
> From: Nigel Houghton [mailto:nhoughton at ...1935...] 
> Sent: Thursday, December 08, 2011 8:48 AM
> To: Michael Scheidell
> Cc: <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] broke snort. file_data_ports
> 
> 
> http://seclists.org/snort/2011/q4/246
> 
> http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html
> 
> http://blog.snort.org/2011/11/vrt-rule-update-for-11022011.html
> 
> 
> On Dec 8, 2011, at 4:46 AM, Michael Scheidell wrote:
> 
>> didn't we decide YEARS AGO, not to arbitrarily add $VAR' to VRT rules?
>> thank you for breaking this and waking me up at 4am
>> 
>> Dec  8 03:06:13 scanner2 snort[3457]: FATAL ERROR: /etc/snort/rules/web-client.rules(142) ***PortVar Lookup failed on '$FILE_DATA_PORTS'.
>> 
>> oh, and its NOT in the distributed snort.conf file.
>> pwd
>> /usr/local/etc/snort
>> scanner2.hackertrap.net# grep FILE_DATA_PORTS *
>> 
>> no, i did NOT enable, as you see, these are in web-client.rules
>> 
>> file-identify.rules
>> 
>> 
>> yes, your block says to add this. portvar FILE_DATA_PORTS 
>> [$HTTP_PORTS,110,143]
>> 
>> but, you should have left the mucked up rules in file-identify.rules, NOT put them into otherwise active rules.
>> or, find some way to have a default, in the .rules, like first line would be:
>> 
>> portvar FILE_DATA_PORTS? [$HTTP_PORTS,110,143]
>> 
>> 
>> --
>> Michael Scheidell, CTO
>> o: 561-999-5000
>> d: 561-948-2259
>>> | SECNAP Network Security Corporation
>> 	* Best Mobile Solutions Product of 2011
>> 	* Best Intrusion Prevention Product
>> 	* Hot Company Finalist 2011
>> 	* Best Email Security Product
>> 	* Certified SNORT Integrator
>> 
>> This email has been scanned and certified safe by SpammerTrap(r).
>> For Information please see http://www.spammertrap.com/
>> 
>> ----------------------------------------------------------------------
>> -------- Cloud Services Checklist: Pricing and Packaging Optimization 
>> This white paper is intended to serve as a reference, checklist and 
>> point of discussion for anyone considering optimizing the pricing and 
>> packaging model of a cloud services business. Read Now!
>> http://www.accelacomm.com/jaw/sfnl/114/51491232/______________________
>> _________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> --
> Nigel Houghton
> Head Mentalist
> SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/
> 
> ______________________________________________________________________
> This email has been scanned and certified safe by SpammerTrap(r).
> For Information please see http://www.spammertrap.com/
> ______________________________________________________________________
> 

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/





More information about the Snort-users mailing list