[Snort-users] Startup error post-package install

Research research at ...17107...
Sat Feb 28 16:11:20 EST 2015


On Feb 28, 2015, at 12:38 AM, Joel Esler (jesler) <jesler at ...589...> wrote:

>> 
>> On Feb 26, 2015, at 2:34 PM, Y M <snort at ...15979...> wrote:
>> 
>> 
>> 
>> > ERROR: /etc/snort/rules/community-virus.rules(19) !any is not allowed: !$DNS_SERVERS.
>> > Fatal Error, Quitting..
>> 
>> This error is due to the fact that $DNS_SERVERS variable is defined as any, however, you have a rule in "community-virus.rules" that looks for IP addresses that are "not" in $DNS_SERVERS by using the deny operator "!"; i.e.: the rules is negating any, which is not an IP address. This is not a Snort error per se, you need to define the IP addresses that should go into $DNS_SERVERS, $HOME_NET, etc so that when the negation takes place, it negates IP addresses and not the keyword any.
> 
> 
> community-virus.rules?  We’ve not produced that rule file in <checks the logs>  Heck, I deleted the file from our build system 23 months ago…
> 
> Last rule that was added to it was 8 years and 4 months ago…
> 
> We have a totally new community rules file system now, it’s available for download here:
> 
> https://www.snort.org/downloads
> 
> --
> Joel Esler
> Open Source Manager
> Threat Intelligence Team Lead
> Talos Security Intelligence and Research Group

Hi Joel,

Yes, I believe that was because I was using an old package for my Linux distro.  Upon the advice from the forum and downloading the latest release and building from source, that problem went I away and I assume that the erroneous, old line in the snort.conf has been removed.

I have also signed up for an Oinkcode and am pulling the latest rules down.

Thanks for following up.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150228/912ab194/attachment.html>


More information about the Snort-users mailing list