[Snort-users] Error when testing snort.conf with 188.8.131.52
miguellvrz9 at ...11827...
Mon Feb 20 12:50:39 EST 2012
I'm testing 184.108.40.206 with more or less a stock snort.conf but when I
attempt to validate my configuration, it fails. I use pulledpork to
build my snort.rules which consist of VRT and ET Open. This is using
the snort.conf that was included in Friday's VRT release and other
than updating rule paths and commenting out the reputation
preprocessor stuff, I think it's pretty much stock. This is the
Initializing rule chains...
WARNING: /etc/snort/rules/snort.rules(7047) threshold (in rule) is
deprecated; use detection_filter instead.
ERROR: /etc/snort/rules/snort.rules(7068) !any is not allowed: !$SMTP_SERVERS.
Fatal Error, Quitting..
The rule in question is this, however, it is enabled on my production
systems which run 220.127.116.11 and I receive no such error:
alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound
Multiple Non-SMTP Server Emails"; flow:established; content:"mail
from|3a|"; nocase; threshold: type threshold, track by_src, count 10,
seconds 120; reference:url,doc.emergingthreats.net/2000328;
classtype:misc-activity; sid:2000328; rev:12;))
The platform for this test CentOS 6.2 64-bit. I will attach my
snort.conf to this email and my snort compile options were
"./configure --disable-corefiles --enable-sourcefire
--sysconfdir=/etc/snort" but please let me know if there's any other
information that would be useful in trying to determine what's going
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 22485 bytes
Desc: not available
More information about the Snort-users