[Snort-users] Snort++ Problem with Rules

Joel Esler (jesler) jesler at cisco.com
Wed Aug 9 12:22:59 EDT 2017


Inline below:


--
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>






On Aug 9, 2017, at 11:51 AM, Jim Campbell <jim at w4bqp.net<mailto:jim at w4bqp.net>> wrote:

The current Subscription Rules cause Snort to error out. The specific rules are:

[3690] alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 ( msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD";...
[5648] alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 ( msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails";...
[5659] alert tcp !$HOME_NET any -> $HOME_NET 25 ( msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound";…

These are not subscription rules, these are Emerging Threat rules, and will not work on Snort++.


This is the error Snort is outputting:

...
Loading snort3.rules:
ERROR: snort3.rules:3690 !any is not allowed: ![$SMTP_SERVERS,$DNS_SERVERS].
ERROR: snort3.rules:5648 !any is not allowed: !$SMTP_SERVERS.
ERROR: snort3.rules:5648 !any is not allowed: !$HOME_NET.
ERROR: snort3.rules:5659 !any is not allowed: !$HOME_NET.
Finished snort3.rules.
...

I'm commenting these rules (#alert...) until the problem is fixed.

This error “!any”, is because you have HOME_NET set to “any” in your snort.conf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170809/effdcf4a/attachment.html>


More information about the Snort-users mailing list