OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Snort-users] Network Variables

From: waldo kitty (wkitty42windstream.net)
Date: Thu May 02 2013 - 14:35:25 CDT

On 5/2/2013 15:24, Seth Dunn wrote:
> Yes, as James said, thanks for breaking it down. Very instructive.

you are welcome... sometimes we have to back up from the forest to see
everything clearly and then we can take small bites out of its arse as needed :P

> I have configured my bpf file as you suggested:: not (net (10.10.0.0/24 or
> 10.30.0.0/24) and host 10.75.45.1 and port 80)
>
> Snort starts and is running, so I will watch it and see how things go.

good deal... and since you figured out the EoL problem was the culprit, i
suggest you place some comment lines explaining what that object mask does for
you just in case you have to add others and/or someone else needs to maintain
the setup ;)

> Since this is in a file, I don't have to do quotes there, only if I run it
> from the command line. The problem with the bpf file was what Shane suggested
> earlier, how the text editor was handling the end of line character. Snort,
> (I am guessing the bpf engine it uses) does not like the Windows style
> characters...it is only configured for *nix style editors. May be something
> they want to address in future releases....because it is an odd problem and
> one I didn't immediately think of (obviously)....especially since the
> snort.conf file is read fine.

as i wrote to you in private, good catch on that... now we can only hope that
the maintainers handle that problem so that it doesn't rear its head and bite
someone else :)

> Thanks again to all for the help and information on this....it has been very
> enlightening.

i'm glad it has helped and i hope that others gain some insight, too :)

--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!