Snort mailing list archives
Re: Snort++ Problem with Rules
From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Wed, 9 Aug 2017 16:22:59 +0000
Inline below: -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On Aug 9, 2017, at 11:51 AM, Jim Campbell <jim () w4bqp net<mailto:jim () w4bqp net>> wrote: The current Subscription Rules cause Snort to error out. The specific rules are: [3690] alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 ( msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD";... [5648] alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 ( msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails";... [5659] alert tcp !$HOME_NET any -> $HOME_NET 25 ( msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound";… These are not subscription rules, these are Emerging Threat rules, and will not work on Snort++. This is the error Snort is outputting: ... Loading snort3.rules: ERROR: snort3.rules:3690 !any is not allowed: ![$SMTP_SERVERS,$DNS_SERVERS]. ERROR: snort3.rules:5648 !any is not allowed: !$SMTP_SERVERS. ERROR: snort3.rules:5648 !any is not allowed: !$HOME_NET. ERROR: snort3.rules:5659 !any is not allowed: !$HOME_NET. Finished snort3.rules. ... I'm commenting these rules (#alert...) until the problem is fixed. This error “!any”, is because you have HOME_NET set to “any” in your snort.conf
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort++ Problem with Rules Jim Campbell (Aug 09)
- Re: Snort++ Problem with Rules Joel Esler (jesler) via Snort-users (Aug 09)
- Re: Snort++ Problem with Rules wkitty42 (Aug 09)