Snort mailing list archives
RE: RE: Problems with HOME_NET and EXTERNAL_NET var's
From: "Gordon Cunningham" <gacunningham () bellsouth net>
Date: Sun, 31 Aug 2003 23:06:01 -0400
Post your snort command line used to start it, and your config file. We'll take a look. - Gordon "When I finally found a spam filter that worked, I no longer received ANY email." -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Lauts, Anthony Sent: Sunday, August 31, 2003 10:24 PM To: ''snort-users () lists sourceforge net' ' Subject: [Snort-users] RE: Problems with HOME_NET and EXTERNAL_NET var's Thanks for the reply Gary. Yes, I am on an Extreme switch, but I have port mirroring set up. I have tested it with ethereal and am seeing packets that snort should be catching. It should still see packets that I am attacking that particular IP address with. That was also a typo in my message forgetting to put the $ when referencing !$HOME_NET. I did try that also. I get the same error no matter what ruleset I attempt to run "ERROR: Undefined variable name: (/etc/snort/*****.rule:#): EXTERNAL_NET" I have read pretty much every forum I could find, even bought the book from Syngress adn read it cover to cover. Wondering if this isn't more of a Linux environment issue instead of a SNORT configuration problem. Any other ideas? I am sure it is something that I am just overlooking (my brain is fried from running around fixing windows machines from the Welchi worm all week!) Thanks, Tony ----------------------------------------- Are you on a switch, by any chance? Your current settings should work, but if you are on a switch, you'll only see traffic for that machine and broadcasts. Just comment out the X11 rule to see if you can get snort running. Also, referencing other variables needs the "$", as in: var EXTERNAL_NET !$HOME_NET - Gordon "When I finally found a spam filter that worked, I no longer received ANY email." -----Original Message----- From: Lauts, Anthony To: 'snort-users () lists sourceforge net' Sent: 8/31/2003 12:18 PM Subject: Problems with HOME_NET and EXTERNAL_NET var's I have set up and installed Snort and Acid on a RH9 box with a single NIC using Patrick Harper's online Snort Installation Manual (Thanks Patrick).. it looks like I have one last problem to overcome. Everything loads fine, but I am not logging anything. I have traced this down to my snort.conf file and the EXTERNAL_NET and HOME_NET variables. I have tried every iteration of these (i.e., using $eth0_ADDRESS, 10.2.85.0/24, any) and still receive the following error when trying any of the supplied rulesets: _______________________start of snip_________________________________ # /usr/local/bin/snort -i eth0 -n 1 -c /etc/snort/x11.rules Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/x11.rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: Undefined variable name: (/etc/snort/x11.rules:8): EXTERNAL_NET Fatal Error, Quitting.. _______________________end of snip_________________________________ My NET variables are currently defined as follows: var HOME_NET 10.2.85.0/24 var EXTERNAL_NET any I have even tried saying "!HOME_NET" for the EXTERNAL_NET var. I also have to manually type in "ifconfig etho promisc" to get eth0 to enter promiscuious mode after a restart of the box. If anyone has any experience with this, it would b greatly appreciated. Tony Lauts ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with HOME_NET and EXTERNAL_NET var's Lauts, Anthony (Aug 31)
- RE: Problems with HOME_NET and EXTERNAL_NET var's Gordon Cunningham (Aug 31)
- Re: Problems with HOME_NET and EXTERNAL_NET var's Jochen Erwied (Sep 02)
- <Possible follow-ups>
- RE: Problems with HOME_NET and EXTERNAL_NET var's Lauts, Anthony (Aug 31)
- RE: RE: Problems with HOME_NET and EXTERNAL_NET var's Gordon Cunningham (Sep 01)