[Snort-users] Error when testing snort.conf with 2.9.2.1

Joel Esler jesler at ...1935...
Mon Feb 20 19:50:35 EST 2012


On Feb 20, 2012, at 5:26 PM, Miguel Alvarez wrote:
> On Mon, Feb 20, 2012 at 6:50 PM, Miguel Alvarez <miguellvrz9 at ...11827...> wrote:
>> Hello,
>> 
>> I'm testing 2.9.2.1 with more or less a stock snort.conf but when I
>> attempt to validate my configuration, it fails.  I use pulledpork to
>> build my snort.rules which consist of VRT and ET Open.  This is using
>> the snort.conf that was included in Friday's VRT release and other
>> than updating rule paths and commenting out the reputation
>> preprocessor stuff, I think it's pretty much stock.  This is the
>> error:
>> 
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>> Initializing rule chains...
>> WARNING: /etc/snort/rules/snort.rules(7047) threshold (in rule) is
>> deprecated; use detection_filter instead.
>> 
>> ERROR: /etc/snort/rules/snort.rules(7068) !any is not allowed: !$SMTP_SERVERS.
>> Fatal Error, Quitting..
>> 
>> The rule in question is this, however, it is enabled on my production
>> systems which run 2.9.2.0 and I receive no such error:
>> 
>> alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound
>> Multiple Non-SMTP Server Emails"; flow:established; content:"mail
>> from|3a|"; nocase; threshold: type threshold, track by_src, count 10,
>> seconds 120; reference:url,doc.emergingthreats.net/2000328;
>> classtype:misc-activity; sid:2000328; rev:12;))
>> 
>> The platform for this test CentOS 6.2 64-bit.  I will attach my
>> snort.conf to this email and my snort compile options were
>> "./configure --disable-corefiles --enable-sourcefire
>> --sysconfdir=/etc/snort" but please let me know if there's any other
>> information that would be useful in trying to determine what's going
>> on.
> 
> Sorry to follow up on my own post but it seems the issue was that
> $HOME_NET was set to 'any'.  Once that was defined, the test completed
> successfully.
> 
> Thank you

Correct, Good job troubleshooting that one Miguel.

J





More information about the Snort-users mailing list