[Snort-users] Error when testing snort.conf with 2.9.2.1

Miguel Alvarez miguellvrz9 at ...11827...
Mon Feb 20 12:50:39 EST 2012


Hello,

I'm testing 2.9.2.1 with more or less a stock snort.conf but when I
attempt to validate my configuration, it fails.  I use pulledpork to
build my snort.rules which consist of VRT and ET Open.  This is using
the snort.conf that was included in Friday's VRT release and other
than updating rule paths and commenting out the reputation
preprocessor stuff, I think it's pretty much stock.  This is the
error:

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
WARNING: /etc/snort/rules/snort.rules(7047) threshold (in rule) is
deprecated; use detection_filter instead.

ERROR: /etc/snort/rules/snort.rules(7068) !any is not allowed: !$SMTP_SERVERS.
Fatal Error, Quitting..

The rule in question is this, however, it is enabled on my production
systems which run 2.9.2.0 and I receive no such error:

alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound
Multiple Non-SMTP Server Emails"; flow:established; content:"mail
from|3a|"; nocase; threshold: type threshold, track by_src, count 10,
seconds 120; reference:url,doc.emergingthreats.net/2000328;
classtype:misc-activity; sid:2000328; rev:12;))

The platform for this test CentOS 6.2 64-bit.  I will attach my
snort.conf to this email and my snort compile options were
"./configure --disable-corefiles --enable-sourcefire
--sysconfdir=/etc/snort" but please let me know if there's any other
information that would be useful in trying to determine what's going
on.

Thank you
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 22485 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120220/f6bfb67a/attachment.obj>


More information about the Snort-users mailing list