Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » There is the magic word "any"... but is there "none" ?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

There is the magic word "any"... but is there "none" ?


Posted by awk on May 26, 2005 07:48:18

Hello,

Rules are using variables like SMTP_SERVERS ... but if we don't have any SMTP Server on the network, how can we specify "none" ?

var SMTP_SERVERS !any ?
var SMTP_SERVERS ![0.0.0.0/0] ?


Thanks for your help,
awk


Posted by chris on May 26, 2005 14:46:52

You shouldn't need to, just comment out the line that says SMTP servers and snort will ignore it in the snort.conf file..

Posted by awk on May 27, 2005 01:51:09

thanks for your answer,


but, if SMTP_SERVERS is used in any rules used, what's happend ?


It's just a "theorical question", I don't think SMTP_SERVERS is used in my rules, but anything could happend in this crazy world (:

thanks,
awk

Posted by chris on May 27, 2005 02:20:20

Hi awk, by commenting out the line you are telling snort that there are no smtp servers on your network, but of course some of your machines may connect to other smtp servers on the internet, and so the rules will still be valid, and are processed as expected.

Posted by awk on May 29, 2005 16:51:15

Hi Chris,

I don't think I really understand your words...

For me, when I do "var SMTP_SERVERS 1.2.3.4/32", I create/declare a variable. This variable is then used in rules files. So if a file use a variable that is not declared (commented out) what do the rule ? Snort reports an error ? Snort skip the rule ?

In C, when you do a printf("%s", var) and if "var" is not declared, then you have a nice error "undeclared varaible 'var'". Am I wrong to think snort rules are equal to a programming langage ?


Thanks,
awk


Posted by chris on June 02, 2005 17:29:50

Hi awk, of course you are correct in programming terms that you need to declare a variable otherwise your code will crash/not work, but the part where you tell snort that there are no smtp servers on your network,is just telling snort not to check for smtp servers on your network, it isn't the same as switching off the checking for smtp rules within the rules engine.
If you wanted to switch off the checking of smtp rules, you would comment out the 'include smtp.rules' line.
does this make sense ?, it's a bit late for me at the moment ;-)
Chris.

site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.