From: Mike M. <che...@ya...> - 2004-06-16 17:16:47
|
Too be honest, I don't know anything about snort. :) I just was looking at another users snort.conf cause of the strange error he posted and saw the coding problem via the source(AKA force). --- James Sinnamon <jp...@we...> wrote: > Mike, > > Thanks for the information and the useful regexp. > > I can't quite work out what was happening yesterday. I think I removed > any /^#.*\\$/ lines which were intermingled between one line with a > continuation character and its continuation line. > > As I wrote on the snort-users list: > > I have been able to reach first base by adding the following rule: > > alert tcp any any -> any any (msg:"ANY PROBE any attempt";) > > .... to /etc/snort/rules/experimental.rules, which is included in > /etc/snort/snort.conf. > > Of course this causes a flood of messages > and warnings, but at least I can see that Snort is responding to > attempted and actual connections made to my firewall computer > ports. > > Conversely, removing the above rule causes the flood of warnings > to diminish to practically nothing. > > I am still not sure why the nmap probes referred to earlier > did not trigger any messages, but at least I now have some > ability to test cause and effect. > > > > If, from now on, the presence of any /^#.*\\$/ lines causes a problem, > which I can reproduce I will open a bug report as you suggested. > > Thanks for your help. > > Best regards, > > James > > > > On Wed, 16 Jun 2004 04:36 am, Mike Mestnik wrote: > > If you read the archives of June 14-15(just 2 days agoe) you will see > that > > we suspect any line in the form of /^#.*\\$/ to cause bad behaviour. > > These comments are getting meesed up by the cuntinue operator '\'. > > > > What's worse is that these comment lines most likely contain valid > code. > > Thus the error is in a line much greater than the comment that caused > the > > error. > > > > This could be something that just sliped into the latesed release. > Try > > running an older version and see if the problem persits, also get in > touch > > with the other person who had simular problems. See if there is a > Debian > > bug repot, if not work with the other person too open one. > > > > --- James Sinnamon <jp...@we...> wrote: > > > Dear Debian firewallers, > > > > > > I am not getting anything written to my log files. > > <snip/> > > > -- > James Sinnamon > jps at westnet com auStralia > ph +61 412 319669, +61 2 95692123, +61 2 95726357 > __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail |