Re: HOME_NET var on snort.conf

[neil <neil () bellsimons com>]

The variable does not exist within the file, your asking it to do
something it doesn't know how to do.

Your going to have to do some hacking to get the snort.conf to parse the
ip address for you.

Maybe this will help you a little:

#!/usr/bin/perl
#Roxcor Tech / www.pheusion.com / IPparse.pl

$interface="eth0";
# path to ifconfig

$ifconfig="/sbin/ifconfig";

@lines=qx|$ifconfig $interface| or die("Can't get info from ifconfig:
".$!);

        foreach(@lines){
        if(/inet addr:([\d.]+)/){
                print "$1\n";
        }
}
 

On Sun, 2004-03-21 at 21:00, pfeito wrote:
> Hi!
>
>  In snort.conf, I have HOME_NET var set like this:
>
> var HOME_NET $eth1_ADDRESS
>
> I start snort, but it does not start. In /var/log/messages I get the
> following information:
>
> Mar 22 01:44:01 snortbox snort: FATAL ERROR: Undefined variable name:
> (/etc/snort/snort.conf:46): eth1_ADDRESS
> Mar 22 01:44:01 snortbox kernel: device eth1 left promiscuous mode
>
> I have to set the IP address of the box manually, but this IP address is
> assigned by my ISP, so it would be much better if "var HOME_NET
> $eth1_ADDRESS" method worked! 
>
> An excerpt from my snort.conf:
>
> ###################################################
> # Step #1: Set the network variables:
> #
> # You must change the following variables to reflect your local network. The
> # variable is currently setup for an RFC 1918 address space.
> #
> # You can specify it explicitly as:
> #
> # var HOME_NET 10.1.1.0/24
> #
> # or use global variable $<interfacename>_ADDRESS which will be always
> # initialized to IP address and netmask of the network interface which you
> run
> # snort at.  Under Windows, this must be specified as
> # $(<interfacename>_ADDRESS), such as:
> # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
> #
> # var HOME_NET $eth0_ADDRESS
> #
> # You can specify lists of IP addresses for HOME_NET
> # by separating the IPs with commas like this:
> #
> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> #
> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> #
> # or you can specify the variable to be any IP address
> # like this:
> # var HOME_NET any
>
> #var HOME_NET $eth1_ADDRESS <----ERROR
> var HOME_NET YYY.YYY.YYY.YYY/32 #obscured my current IP address
>
> Im running snort 2.1.1 on Fedora Core 1.
> What could be wrong? Any ideas ?
>
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users