Snort mailing list archives
Re: Does snort.conf have conflicting comments?
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 12 Nov 2001 10:24:00 -0500
The actual problem is that plugin authors have no guidelines as to argument formatting in their code, so we end up with whatever people feel comfortable with when they're writing it. This is a recognized problem, and we'll properly address it in 2.0... -Marty Phil Wood wrote:
On Sun, Nov 11, 2001 at 11:19:51AM -0800, Erek Adams wrote:In looking at the current (CVS) snort.conf, I noticed something. Lines 37-42 discuss how to set the HOME_NET variable. They mention how to place multiple IP's into a list. 37 # You can specify lists of IP addresses for HOME_NET 38 # by separating the IPs with commas like this: 39 # 40 # var HOME_NET [10.1.1.0/24,192.168.1.0/24] 41 # 42 # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! Now, looking down a bit.... 227 # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from 228 # specific networks or hosts to reduce false alerts. It is typical 229 # to see many false alerts from DNS servers so you may want to 230 # add your DNS servers here. You can all multiple hosts/networks 231 # in a whitespace-delimited list. 232 # 233 preprocessor portscan-ignorehosts: $DNS_SERVERS It refers to a 'whitespace delimited list'. Is this right, wrong, or a feature of using a variable in the ignorehosts line? Or do I just need to get some coffee? :)Candy is dandy, but liquor quicker. It would be nice if ip lists in snort were consistant. They are not. I been there. Done that. Currently, I'm in limbo doing other things. It would be nice to make a pass on the syntax, enforce new syntax for plugins, plugouts, and other configuration what's-its. The reason I'm pick'n on this bone is that I just got my first bug report on my "vim" syntax file for snort (it's been released with a new release of vim). So, I jumped into my code and started "fixin" things. Every damn preprocessor and output plugin has a different way of specifying the same sets of things: ip lists, port lists, var=value, etc. I need some "coffee".----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Does snort.conf have conflicting comments? Erek Adams (Nov 11)
- RE: Does snort.conf have conflicting comments? Paul D. Shaffer (Nov 11)
- Re: Does snort.conf have conflicting comments? Phil Wood (Nov 11)
- Re: Does snort.conf have conflicting comments? Martin Roesch (Nov 12)