[Snort-users] Snort++ Problem with Rules

Jim Campbell jim at w4bqp.net
Wed Aug 9 11:51:52 EDT 2017


The current Subscription Rules cause Snort to error out. The specific 
rules are:

[3690] alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 ( 
msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD";...
[5648] alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 ( msg:"ET POLICY 
Outbound Multiple Non-SMTP Server Emails";...
[5659] alert tcp !$HOME_NET any -> $HOME_NET 25 ( msg:"ET POLICY Inbound 
Frequent Emails - Possible Spambot Inbound";...

This is the error Snort is outputting:

...
Loading snort3.rules:
ERROR: snort3.rules:3690 !any is not allowed: ![$SMTP_SERVERS,$DNS_SERVERS].
ERROR: snort3.rules:5648 !any is not allowed: !$SMTP_SERVERS.
ERROR: snort3.rules:5648 !any is not allowed: !$HOME_NET.
ERROR: snort3.rules:5659 !any is not allowed: !$HOME_NET.
Finished snort3.rules.
...

I'm commenting these rules (#alert...) until the problem is fixed.

-- 
"We are not human beings having a spiritual experience;
we are spiritual beings having a human experience."
---Pierre Teilhard de Chardin




More information about the Snort-users mailing list