Snort mailing list archives
Error when testing snort.conf with 2.9.2.1
From: Miguel Alvarez <miguellvrz9 () gmail com>
Date: Mon, 20 Feb 2012 18:50:39 +0100
Hello, I'm testing 2.9.2.1 with more or less a stock snort.conf but when I attempt to validate my configuration, it fails. I use pulledpork to build my snort.rules which consist of VRT and ET Open. This is using the snort.conf that was included in Friday's VRT release and other than updating rule paths and commenting out the reputation preprocessor stuff, I think it's pretty much stock. This is the error: +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... WARNING: /etc/snort/rules/snort.rules(7047) threshold (in rule) is deprecated; use detection_filter instead. ERROR: /etc/snort/rules/snort.rules(7068) !any is not allowed: !$SMTP_SERVERS. Fatal Error, Quitting.. The rule in question is this, however, it is enabled on my production systems which run 2.9.2.0 and I receive no such error: alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; reference:url,doc.emergingthreats.net/2000328; classtype:misc-activity; sid:2000328; rev:12;)) The platform for this test CentOS 6.2 64-bit. I will attach my snort.conf to this email and my snort compile options were "./configure --disable-corefiles --enable-sourcefire --sysconfdir=/etc/snort" but please let me know if there's any other information that would be useful in trying to determine what's going on. Thank you
Attachment:
snort.conf
Description:
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Error when testing snort.conf with 2.9.2.1 Miguel Alvarez (Feb 20)
- Re: Error when testing snort.conf with 2.9.2.1 Miguel Alvarez (Feb 20)
- Re: Error when testing snort.conf with 2.9.2.1 Joel Esler (Feb 20)
- Re: Error when testing snort.conf with 2.9.2.1 Miguel Alvarez (Feb 20)