Snort mailing list archives

Re: Does snort.conf have conflicting comments?

From: Phil Wood <cpw () lanl gov>
Date: Sun, 11 Nov 2001 19:56:06 -0700

On Sun, Nov 11, 2001 at 11:19:51AM -0800, Erek Adams wrote:


In looking at the current (CVS) snort.conf, I noticed something.

Lines 37-42 discuss how to set the HOME_NET variable.  They mention how to
place multiple IP's into a list.

    37  # You can specify lists of IP addresses for HOME_NET
    38  # by separating the IPs with commas like this:
    39  #
    40  # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
    41  #
    42  # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!

Now, looking down a bit....

   227  # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
   228  # specific networks or hosts to reduce false alerts. It is typical
   229  # to see many false alerts from DNS servers so you may want to
   230  # add your DNS servers here. You can all multiple hosts/networks
   231  # in a whitespace-delimited list.
   232  #
   233  preprocessor portscan-ignorehosts: $DNS_SERVERS

It refers to a 'whitespace delimited list'.

Is this right, wrong, or a feature of using a variable in the ignorehosts
line?  Or do I just need to get some coffee?  :)


Candy is dandy, but liquor quicker.  It would be nice if ip lists in snort were
consistant.  They are not.  I been there.  Done that.  Currently, I'm in
limbo doing other things.  It would be nice to make a pass on the syntax,
enforce new syntax for plugins, plugouts, and other configuration what's-its.

The reason I'm pick'n on this bone is that I just got my first bug report
on my "vim" syntax file for snort (it's been released with a new release of
vim).  So, I jumped into my code and started "fixin" things.  Every damn
preprocessor and output plugin has a different way of specifying the same
sets of things: ip lists, port lists, var=value, etc.  I need some "coffee".


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Does snort.conf have conflicting comments? Erek Adams (Nov 11)
- RE: Does snort.conf have conflicting comments? Paul D. Shaffer (Nov 11)
- Re: Does snort.conf have conflicting comments? Phil Wood (Nov 11)
  - Re: Does snort.conf have conflicting comments? Martin Roesch (Nov 12)