Friday, January 13, 2012

PortVar Lookup failed on '$FILE_DATA_PORTS'

If you receive this error, this basically means that you've not added the FILE_DATA_PORTS variable into your snort.conf file.

We are increasingly using this variable across multiple categories to be able to more thoroughly cover file based attack vectors, and will continue to use it, so make sure you are using the snort.conf provided by the VRT here:

Which includes the FILE_DATA_PORTS variable:

# List of file data ports for file inspection
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]