Snort mailing list archives
Problems with multipleconfigs.
From: carlopmart <carlopmart () gmail com>
Date: Thu, 10 Mar 2011 22:08:14 +0100
Hi all.
I am trying to setup a snort instance to sniff traffic on two
different subnets. To do this, I am trying to use multipleconfigs
feature. But it doesn't works...
My host is a RHEL5.6 i386 with snort 2.9.0.4 (using rpms from Vincent).
My multipleconfigs variables on snort.conf are:
config binding: /data/config/etc/snort-prod/prod_ids.conf net
172.25.50.0/27
config binding: /data/config/etc/snort-mgmt/mgmt_ids.conf net
172.17.47.16/28
On mgmt_ids.conf and prod_ids.conf I have defined all ipvar, var, and
portvars.
When I try to start snort, first error appears:
FATAL ERROR: /data/config/etc/snort-common/snort.conf(207) Undefined
variable name: RULE_PATH
After put this variable on snort.conf, I test another time and another
error:
FATAL ERROR: /data/config/etc/snort-common/snort.conf(72) Undefined
variable name: COMMON_CONF_PATH
Putting this var on snort.conf, I try another time and:
FATAL ERROR: /data/config/etc/snort-common/snort.conf(43) Undefined
variable name: LIB_PATH.
Putting this var on snort.conf, I try another time and:
FATAL ERROR: /data/config/etc/snort-common/rules/all.rules(2) Undefined
variable in the string: $EXTERNAL_NET
... Do I need to put all var on the general snort.conf file?? Or what
am I doing wrong??
On my prod_ids.conf:
ipvar HOME_NET 172.25.50.0/27
ipvar EXTERNAL_NET !$HOME_NET
ipvar DNS_SERVERS 172.25.50.10
ipvar SMTP_SERVERS 172.25.50.22
ipvar HTTP_SERVERS 172.25.50.20
ipvar SQL_SERVERS $HOME_NET
ipvar TELNET_SERVERS $HOME_NET
ipvar SSH_SERVERS $HOME_NET
portvar HTTP_PORTS
[80,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,5250,7001,7777,7779,8000,8008,8028,8080,8088,8118,8123,8180,8243,8280,8888,9090,9091,9443,9999,11371]
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1024:
portvar SSH_PORTS 22
ipvar AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
]
var LIB_PATH /usr/lib
var CONF_PATH /data/config/etc/snort-prod
var COMMON_CONF_PATH /data/config/etc/snort-common
var RULE_PATH $COMMON_CONF_PATH/rules
var SO_RULE_PATH $COMMON_CONF_PATH/so_rules
var PREPROC_RULE_PATH $COMMON_CONF_PATH/preproc_rules
output unified2: filename prod_snort.log, limit 128
.. and mgmt_ids.conf is practically the same, but changing IPs, etc ...
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with multipleconfigs. carlopmart (Mar 10)
- Re: Problems with multipleconfigs. carlopmart (Mar 10)
- Re: Problems with multipleconfigs. carlopmart (Mar 10)
- Re: Problems with multipleconfigs. carlopmart (Mar 11)
- Re: Problems with multipleconfigs. Bhagya Bantwal (Mar 11)
- Re: Problems with multipleconfigs. carlopmart (Mar 11)
- Re: Problems with multipleconfigs. Bhagya Bantwal (Mar 11)
- Re: Problems with multipleconfigs. carlopmart (Mar 11)
- Re: Problems with multipleconfigs. Bhagya Bantwal (Mar 11)
- Re: Problems with multipleconfigs. carlopmart (Mar 12)
- Re: Problems with multipleconfigs. carlopmart (Mar 10)
- Re: Problems with multipleconfigs. carlopmart (Mar 10)