Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort++ Problem with Rules

From: Jim Campbell <jim () w4bqp net>
Date: Wed, 9 Aug 2017 11:51:52 -0400
The current Subscription Rules cause Snort to error out. The specific rules are:
[3690] alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 ( msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD";... [5648] alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 ( msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails";... [5659] alert tcp !$HOME_NET any -> $HOME_NET 25 ( msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound";... 

This is the error Snort is outputting:

...
Loading snort3.rules:
ERROR: snort3.rules:3690 !any is not allowed: ![$SMTP_SERVERS,$DNS_SERVERS].
ERROR: snort3.rules:5648 !any is not allowed: !$SMTP_SERVERS.
ERROR: snort3.rules:5648 !any is not allowed: !$HOME_NET.
ERROR: snort3.rules:5659 !any is not allowed: !$HOME_NET.
Finished snort3.rules.
...

I'm commenting these rules (#alert...) until the problem is fixed.

--
"We are not human beings having a spiritual experience;
we are spiritual beings having a human experience."
---Pierre Teilhard de Chardin

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: