[Snort-users] Error when testing snort.conf with 2.9.2.1

Miguel Alvarez miguellvrz9 at ...11827...
Mon Feb 20 17:26:12 EST 2012


On Mon, Feb 20, 2012 at 6:50 PM, Miguel Alvarez <miguellvrz9 at ...11827...> wrote:
> Hello,
>
> I'm testing 2.9.2.1 with more or less a stock snort.conf but when I
> attempt to validate my configuration, it fails.  I use pulledpork to
> build my snort.rules which consist of VRT and ET Open.  This is using
> the snort.conf that was included in Friday's VRT release and other
> than updating rule paths and commenting out the reputation
> preprocessor stuff, I think it's pretty much stock.  This is the
> error:
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> WARNING: /etc/snort/rules/snort.rules(7047) threshold (in rule) is
> deprecated; use detection_filter instead.
>
> ERROR: /etc/snort/rules/snort.rules(7068) !any is not allowed: !$SMTP_SERVERS.
> Fatal Error, Quitting..
>
> The rule in question is this, however, it is enabled on my production
> systems which run 2.9.2.0 and I receive no such error:
>
> alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound
> Multiple Non-SMTP Server Emails"; flow:established; content:"mail
> from|3a|"; nocase; threshold: type threshold, track by_src, count 10,
> seconds 120; reference:url,doc.emergingthreats.net/2000328;
> classtype:misc-activity; sid:2000328; rev:12;))
>
> The platform for this test CentOS 6.2 64-bit.  I will attach my
> snort.conf to this email and my snort compile options were
> "./configure --disable-corefiles --enable-sourcefire
> --sysconfdir=/etc/snort" but please let me know if there's any other
> information that would be useful in trying to determine what's going
> on.

Sorry to follow up on my own post but it seems the issue was that
$HOME_NET was set to 'any'.  Once that was defined, the test completed
successfully.

Thank you




More information about the Snort-users mailing list