RE: [Snort-users] The System works !! one question please

permalink · #1 (**permalink**) 09-21-2004

OK... 6 times????? Do you think if you bombard the list with the same
question over and over you will get help or answers? YOU DID NOT PAY
FOR A SUPPORT CONTRACT, THIS IS SOMETHING PEOPLE DO TO HELP OTHERS, IT
IS FROM THE GOODNESS OF OUR HEARTS AND NOTHING ELSE AND IF ANNOYED A LOT
OF PEOPLE HERE WILL IGNORE YOU=20
(from my experience over the years on this list)

-----Original Message-----
From: Juan Fernandez [mailto:Juan.Fernandez@deltathree.com]=20
Sent: Tuesday, September 21, 2004 3:23 AM
To: 'snort-users@lists.sourceforge.net'
Subject: [Snort-users] The System works !! one question please

The problem if I use cidr is that in the range there will be ip's that
they don't have http servers on tham .

What will be the result of that ?

I am trying to reduce false positives...

I received another replay from Alex.Butcher he is offering the folowing
:

It looks like Snort's configuration file parser has a maximum line
length of
1024 characters (defined by STD_BUF in src/snort.h). To (try to) change
this, you'll need to modify that definition in snort.h and rebuild.

Alternatively, a workaround would be to define two or more variables,
and duplicate the signatures that use HTTP_SERVERS.

I am afraid to compile again... after so much work it took me to start
it working...

What u soggest ?

Thanks !!

I am reading the book of jack koziol.

-----Original Message-----
From: Harper, Patrick [mailto:patrick.harper@phns.com]
Sent: Monday, September 20, 2004 4:32 PM
To: Juan Fernandez; snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] The System works !! one question please !

Can you use cidr? I am not sure if there is a limit or not but would
imagine there is.=20

=20
-----Original Message-----
From: Juan Fernandez [mailto:Juan.Fernandez@deltathree.com]
Sent: Monday, September 20, 2004 5:08 AM
To: 'snort-users@lists.sourceforge.net'
Subject: [Snort-users] The System works !! one question please !

Hi,

=20

=20

I tried to insert all of my http servers in HTTP_SERVERS in snort.conf
(I have a 99 servers).

=20

Before modifying the https servers it worked.

=20

DO I have a limitation of ip to enter ( I cant find any syntax error).

=20

After I insert those ip's and started snort I received the following
error in /var/log/messeges:=20

=20

Sep 20 12:20:12 sensjrlan snort: FATAL ERROR: /etc/snort/snort.conf(66)
=3D> Unknown rule type:
70.171.150,208.170.171.152,208.170.171.154,208.170 .171.157,208.170.171.1
60,208.170.171.166,208.170.171.171,208.170.171.188 ,208.170.171.199,208.1
70.171.202,208.170.171.210,208.170.171.224,212.127 .71.22,212.127.71.24,2
12.127.71.20,212.127.71.21,212.127.71.22,212.127.7 1.24,212.127.71.44,212
=2E127.71.45,212.127.71.52,212.127.71.81,212.127.7 1.99,212.127.71.100,212.
127.71.102,212.127.71.111,212.127.71.112,212.127.7 1.112,212.127.71.117,2
12.127.71.119,212.127.71.140,212.127.71.212]

~

This is the relevant section in snort.conf ( line 65 starts in "var
HTTP.." and line 66 in the empty line after all the ip list):

=20

=20

=20

=20

var HTTP_SERVERS
[212.127.72.16,212.127.72.26,212.127.72.27,212.127. 72.42,212.127.72.48,2
12.127.72.49,212.127.72.55,212.127.72.55,212.127.7 2.57,212.127.72.58,212
=2E127.72.76,212.127.72.92,212.127.72.98,212.127.7 2.100,212.127.72.107,212
=2E127.72.108,212.127.72.111,212.127.72.112,212.12 7.72.112,212.127.72.122,
212.127.72.122,212.127.72.124,212.127.72.142,212.1 27.72.152,212.127.72.2
10,212.127.70.5,212.127.70.17,212.127.70.21,208.17 0.171.7,208.170.171.12
,208.170.171.12,208.170.171.15,208.170.171.17,208. 170.171.22,208.170.171
=2E24,208.170.171.27,208.170.171.28,208.170.171.21 ,208.170.171.22,208.170.
171.26,208.170.171.27,208.170.171.42,208.170.171.4 6,208.170.171.48,208.1
70.171.49,208.170.171.57,208.170.171.61,208.170.17 1.65,208.170.171.66,20
8.170.171.72,208.170.171.77,208.170.171.78,208.170 .171.82,208.170.171.95
,208.170.171.101,208.170.171.105,208.170.171.110,2 08.170.171.111,208.170
=2E171.112,208.170.171.115,208.170.171.119,208.170 .171.120,208.170.171.122
,208.170.171.121,208.170.171.126,208.170.171.127,2 08.170.171.142,208.170
=2E171.150,208.170.171.152,208.170.171.154,208.170 .171.157,208.170.171.160
,208.170.171.166,208.170.171.171,208.170.171.188,2 08.170.171.199,208.170
=2E171.202,208.170.171.210,208.170.171.224,212.127 .71.22,212.127.71.24,212
=2E127.71.20,212.127.71.21,212.127.71.22,212.127.7 1.24,212.127.71.44,212.1
27.71.45,212.127.71.52,212.127.71.81,212.127.71.99 ,212.127.71.100,212.12
7.71.102,212.127.71.111,212.127.71.112,212.127.71. 112,212.127.71.117,212
=2E127.71.119,212.127.71.140,212.127.71.212]

=20

thanks !!

~

Disclaimer:
This electronic message, including any attachments, is confidential and
intended solely for use of the intended recipient(s). This message may
contain information that is privileged or otherwise protected from
disclosure by applicable law. Any unauthorized disclosure,
dissemination, use or reproduction is strictly prohibited. If you have
received this message in error, please delete it and notify the sender
immediately.=20

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...=3Dsnort-users

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...=3Dsnort-users

Disclaimer:
This electronic message, including any attachments, is confidential and int=
ended solely for use of the intended recipient(s). This message may contain=
information that is privileged or otherwise protected from disclosure by a=
pplicable law. Any unauthorized disclosure, dissemination, use or reproduct=
ion is strictly prohibited. If you have received this message in error, ple=
ase delete it and notify the sender immediately.=20

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode