Snort 2.9.1.1 sfportscan syntax changed?

[Cees <celzinga () gmail com>]

Hello list,

I'm trying to upgrade my Snort 2.8.6 to 2.9.1.1. I'm running into some
problems with the sfportscan preprocessor. There seems to be an
(undocumented?) change that invalidates the old syntax.

It's best described with an example.

Take the following Snort.conf:
---
var HOME_NET [10.0.0.0/8]
var TRUSTED_A [10.0.0.1/32]
var TRUSTED_B [10.1.2.3/32]

preprocessor sfportscan: \
    watch_ip { $HOME_NET } \
    ignore_scanners { $TRUSTED_A,$TRUSTED_B }
---

Now if we check the configuration with Snort 2.9.1.1:
ERROR: snort.conf(7) => Invalid ip_list to 'ignore_scanners' option.

This used to work fine in 2.8.6.1. Specifying a single variable as
ignore_scanners does work.

Am I missing something?

Thanks in advance,

Cees

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!