Friday, January 13, 2012

PortVar Lookup failed on '$FILE_DATA_PORTS'

If you receive this error, this basically means that you've not added the FILE_DATA_PORTS variable into your snort.conf file.

We are increasingly using this variable across multiple categories to be able to more thoroughly cover file based attack vectors, and will continue to use it, so make sure you are using the snort.conf provided by the VRT here:
http://www.snort.org/vrt/snort-conf-configurations/

Which includes the FILE_DATA_PORTS variable:

# List of file data ports for file inspection
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]

4 comments:

  1. ran into that one last week while building a new sensor.

    ReplyDelete
  2. I got the same error as this page several days ago and could recover from it according to the instruction.

    ReplyDelete
    Replies
    1. Thanks a lot for the prompt disclosure of my comment yesterday.
      I'll compensate a little for the lack of my description.
      I could recover from the issue with adding the variable
      mentioned in this page to my snort.conf.

      Delete
  3. This helped me, as well. Just as described.

    ReplyDelete