Snort mailing list archives
Re: Rule IP addr (!192.168.1.1) didn't x-late, WTF?
From: Phil Wood <cpw () lanl gov>
Date: Wed, 27 Jun 2001 08:53:12 -0600
On Wed, Jun 27, 2001 at 05:05:43PM +1000, Cameron Just wrote:
Yeah just tried it without quotes and again it's a little better. Here is the current setup var HOME_NET 192.168.1.1/32 var EXTERNAL_NET any var DNS_SERVERS [61.9.208.13/32,61.9.208.16/32,24.192.1.30/32]
DNS_SERVERS 61.9.208.13 61.9.208.16 24.192.1.30 Will work better for the portscan preprocessor.
giving the following /var/log/messages/ Jun 27 17:03:30 phoenix snort: Initializing daemon mode Jun 27 17:03:30 phoenix kernel: eth1: Setting promiscuous mode. Jun 27 17:03:30 phoenix kernel: device eth1 entered promiscuous mode Jun 27 17:03:31 phoenix snortd: snort startup succeeded Jun 27 17:03:31 phoenix kernel: device eth1 left promiscuous mode Then snort just dies Still not sure of the problem?????? I have also changed var HOME_NET 192.168.1.1/32 to be my IP given to me by my ISP Still no luck At 04:55 PM 27/06/01, you wrote:None of my configs have quotes. I am using snort from CVS, so I am not sure what older versions need. Have you tried it without quotes? var HOME_NET 192.168.1.1/32 Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: Cameron Just [mailto:phoenix () veto cx] Sent: Wednesday, June 27, 2001 2:46 AM To: jlewis () jasonlewis net Cc: Snort-users () lists sourceforge net Subject: RE: [Snort-users] Rule IP addr (!192.168.1.1) didn't x-late, WTF? Hi, This slightly fixed the problem but snort will still not start? here is my error messages Jun 27 16:44:20 phoenix snort: Initializing daemon mode Jun 27 16:44:20 phoenix kernel: eth1: Setting promiscuous mode. Jun 27 16:44:20 phoenix kernel: device eth1 entered promiscuous mode Jun 27 16:44:20 phoenix snort: ERROR /etc/snort/snort.conf (7) => Rule netmask (32") didn't x-late, WTF? Jun 27 16:44:20 phoenix kernel: device eth1 left promiscuous mode Jun 27 16:44:20 phoenix snortd: snort startup succeeded Here are the first few lines of my snort.conf file var HOME_NET "192.168.1.1/32" var EXTERNAL_NET any var DNS_SERVERS [192.168.1.1/32,61.9.208.13/32,61.9.208.16/32,24.192.1.30/32] Am I right in assuming the HOME_NET variable is the IP of the machine with snort running? Becuase That is the IP address of the machine from inside the firewall. I can't understand what is going wrong. At 08:59 AM 27/06/01, you wrote:Quotes.... var HOME_NET "192.168.1.1"/32 Change that to var HOME_NET "192.168.1.1/32" Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Cameron Just Sent: Tuesday, June 26, 2001 6:28 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] Rule IP addr (!192.168.1.1) didn't x-late, WTF? Hi, Anyone know how to fix this problem on a Redhat 6.2 Machine with the latest Snort installed. Here is the /var/log/messages info Jun 26 13:01:51 him snort: Initializing daemon mode Jun 26 13:01:51 him kernel: eth0: Setting promiscuous mode. Jun 26 13:01:51 him kernel: device eth0 entered promiscuous mode Jun 26 13:01:51 him snort: ERROR /etc/snort/base.conf (8) => Rule IP addr (!192.168.1.1) didn't x-late, WTF? Jun 26 13:01:51 him kernel: device eth0 left promiscuous mode Jun 26 13:01:51 him snort: snort startup succeeded. This is the line it is dying on in my snort.conf var HOME_NET "192.168.1.1"/32 I can't find anything in the FAQs and founf this problem on the Mailing lists but there was never any answer...... _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users**************************************************************** Cameron Just (C.Just () phoenixdigital com) Phoenix Digital Development ******************************************************************************************************************************** Cameron Just (C.Just () phoenixdigital com) Phoenix Digital Development **************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule IP addr (!192.168.1.1) didn't x-late, WTF? Cameron Just (Jun 26)
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Jason Lewis (Jun 26)
- Re: Rule IP addr (!192.168.1.1) didn't x-late, WTF? HABU Takuya (Jun 26)
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Cameron Just (Jun 27)
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Jason Lewis (Jun 27)
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Cameron Just (Jun 27)
- Message not available
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Cameron Just (Jun 27)
- Re: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Martin Roesch (Jun 27)
- Re: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Phil Wood (Jun 27)
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Jason Lewis (Jun 26)
- <Possible follow-ups>
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Johnson, David (Jun 27)