[Snort-users] Snort++ Problem with Rules
Joel Esler (jesler)
jesler at cisco.com
Wed Aug 9 12:22:59 EDT 2017
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>
On Aug 9, 2017, at 11:51 AM, Jim Campbell <jim at w4bqp.net<mailto:jim at w4bqp.net>> wrote:
The current Subscription Rules cause Snort to error out. The specific rules are:
 alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 ( msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD";...
 alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 ( msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails";...
 alert tcp !$HOME_NET any -> $HOME_NET 25 ( msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound";…
These are not subscription rules, these are Emerging Threat rules, and will not work on Snort++.
This is the error Snort is outputting:
ERROR: snort3.rules:3690 !any is not allowed: ![$SMTP_SERVERS,$DNS_SERVERS].
ERROR: snort3.rules:5648 !any is not allowed: !$SMTP_SERVERS.
ERROR: snort3.rules:5648 !any is not allowed: !$HOME_NET.
ERROR: snort3.rules:5659 !any is not allowed: !$HOME_NET.
I'm commenting these rules (#alert...) until the problem is fixed.
This error “!any”, is because you have HOME_NET set to “any” in your snort.conf
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users