[Snort-users] Error when testing snort.conf with 188.8.131.52
jesler at ...1935...
Mon Feb 20 19:50:35 EST 2012
On Feb 20, 2012, at 5:26 PM, Miguel Alvarez wrote:
> On Mon, Feb 20, 2012 at 6:50 PM, Miguel Alvarez <miguellvrz9 at ...11827...> wrote:
>> I'm testing 184.108.40.206 with more or less a stock snort.conf but when I
>> attempt to validate my configuration, it fails. I use pulledpork to
>> build my snort.rules which consist of VRT and ET Open. This is using
>> the snort.conf that was included in Friday's VRT release and other
>> than updating rule paths and commenting out the reputation
>> preprocessor stuff, I think it's pretty much stock. This is the
>> Initializing rule chains...
>> WARNING: /etc/snort/rules/snort.rules(7047) threshold (in rule) is
>> deprecated; use detection_filter instead.
>> ERROR: /etc/snort/rules/snort.rules(7068) !any is not allowed: !$SMTP_SERVERS.
>> Fatal Error, Quitting..
>> The rule in question is this, however, it is enabled on my production
>> systems which run 220.127.116.11 and I receive no such error:
>> alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound
>> Multiple Non-SMTP Server Emails"; flow:established; content:"mail
>> from|3a|"; nocase; threshold: type threshold, track by_src, count 10,
>> seconds 120; reference:url,doc.emergingthreats.net/2000328;
>> classtype:misc-activity; sid:2000328; rev:12;))
>> The platform for this test CentOS 6.2 64-bit. I will attach my
>> snort.conf to this email and my snort compile options were
>> "./configure --disable-corefiles --enable-sourcefire
>> --sysconfdir=/etc/snort" but please let me know if there's any other
>> information that would be useful in trying to determine what's going
> Sorry to follow up on my own post but it seems the issue was that
> $HOME_NET was set to 'any'. Once that was defined, the test completed
> Thank you
Correct, Good job troubleshooting that one Miguel.
More information about the Snort-users