Re: Errors starting Snort...

[Lorenzo Rossi <condor_rl () libero it>]

James,

Sorry I forgot the config file :)
But the good news is I have found the errors, and I correct them:

exactly in line 357 I modified as you can see below

DEBIAN ORIGINAL:

preprocessor flow-portscan: talker-sliding-scale-factor 0.50
talker-fixed-threshold 30 talker-sliding-threshold 30
talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker
30000 server-watchnet $HOME_NET server-ignore-limit 200 server-rows
65535 server-learning-time 14400 server-scanner-limit 4
scanner-sliding-window 20 scanner-sliding-scale-factor 0.50
scanner-fixed-threshold 15 scanner-sliding-threshold 40
scanner-fixed-window 15 scoreboard-rows-scanner 30000 src-ignore-net
$HOME_NET dst-ignore-net [10.0.0.0/30] alert-mode once output-mode msg
tcp-penalties on

MODIFIED BY ME:

preprocessor flow-portscan: talker-sliding-scale-factor 0.50
talker-fixed-threshold 30 talker-sliding-threshold 30
talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker
30000 server-watchnet [192.168.1.0/24] server-ignore-limit 200
server-rows 65535 server-learning-time 14400 server-scanner-limit 4
scanner-sliding-window 20 scanner-sliding-scale-factor 0.50
scanner-fixed-threshold 15 scanner-sliding-threshold 40
scanner-fixed-window 15 scoreboard-rows-scanner 30000 src-ignore-net
[10.0.0.0/30] dst-ignore-net [10.0.0.0/30] alert-mode once output-mode
msg tcp-penalties on


Could someone explain to me the meaning of "src-ignore-net" and
"dst-ignore-net" parameters....?

Then another problem was present in the snort.ethX.conf 

DEBIAN ORIGINAL:
ME_NET server-ignore-limit 200

MODIFIED BY ME:

# ME_NET server-ignore-limit 200

Onestly I do not understand the meaning of "ME_NET", probably it should be
"$HOME_NET"

Now seem to me that snort is working....

Lorenzo

* James Riden <j.riden () massey ac nz> [021104, 08:49]:
> Lorenzo Rossi <condor_rl () libero it> writes:
>
> > Nov  1 17:04:10 europa snort: /etc/snort/snort.eth0.conf(357) Unable to
> > create an IPSet from [any]
>
> Could we see that section of the config file please?
>
> I seem to remember that Debian asks which range of IP addresses to
> listen on - do you remember what you replied? 
>
> cheers,
>  Jamie
> -- 
> James Riden / j.riden () massey ac nz / Systems Security Engineer
> Information Technology Services, Massey University, NZ.
> GPG public key available at: http://www.massey.ac.nz/~jriden/
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
LinuxUser: 71680        OpenPGP-> KeyID: 0x25B9E15E
===================================================
Fingerprint:
BF76 8EC9 A14D 2CD4 195F  9E7D 6834 A8AE 25B9 E15E
---------------------------------------------------


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users