Re: Problems with multipleconfigs.

[carlopmart <carlopmart () gmail com>]

On 03/10/2011 10:08 PM, carlopmart wrote:
> Hi all.
>
> I am trying to setup a snort instance to sniff traffic on two different
> subnets. To do this, I am trying to use multipleconfigs feature. But it
> doesn't works...
>
> My host is a RHEL5.6 i386 with snort 2.9.0.4 (using rpms from Vincent).
>
> My multipleconfigs variables on snort.conf are:
>
> config binding: /data/config/etc/snort-prod/prod_ids.conf net
> 172.25.50.0/27
> config binding: /data/config/etc/snort-mgmt/mgmt_ids.conf net
> 172.17.47.16/28
>
> On mgmt_ids.conf and prod_ids.conf I have defined all ipvar, var, and
> portvars.
>
> When I try to start snort, first error appears:
>
> FATAL ERROR: /data/config/etc/snort-common/snort.conf(207) Undefined
> variable name: RULE_PATH
>
> After put this variable on snort.conf, I test another time and another
> error:
>
> FATAL ERROR: /data/config/etc/snort-common/snort.conf(72) Undefined
> variable name: COMMON_CONF_PATH
>
> Putting this var on snort.conf, I try another time and:
>
> FATAL ERROR: /data/config/etc/snort-common/snort.conf(43) Undefined
> variable name: LIB_PATH.
>
> Putting this var on snort.conf, I try another time and:
>
> FATAL ERROR: /data/config/etc/snort-common/rules/all.rules(2) Undefined
> variable in the string: $EXTERNAL_NET
>
> ... Do I need to put all var on the general snort.conf file?? Or what am
> I doing wrong??
>
> On my prod_ids.conf:
>
> ipvar HOME_NET 172.25.50.0/27
> ipvar EXTERNAL_NET !$HOME_NET
> ipvar DNS_SERVERS 172.25.50.10
> ipvar SMTP_SERVERS 172.25.50.22
> ipvar HTTP_SERVERS 172.25.50.20
> ipvar SQL_SERVERS $HOME_NET
> ipvar TELNET_SERVERS $HOME_NET
> ipvar SSH_SERVERS $HOME_NET
> portvar HTTP_PORTS
> [80,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,5250,7001,7777,7779,8000,8008,8028,8080,8088,8118,8123,8180,8243,8280,8888,9090,9091,9443,9999,11371]
>
> portvar SHELLCODE_PORTS !80
> portvar ORACLE_PORTS 1024:
> portvar SSH_PORTS 22
> ipvar AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
>
> ]
>
> var LIB_PATH /usr/lib
> var CONF_PATH /data/config/etc/snort-prod
> var COMMON_CONF_PATH /data/config/etc/snort-common
> var RULE_PATH $COMMON_CONF_PATH/rules
> var SO_RULE_PATH $COMMON_CONF_PATH/so_rules
> var PREPROC_RULE_PATH $COMMON_CONF_PATH/preproc_rules
> output unified2: filename prod_snort.log, limit 128
>
> .. and mgmt_ids.conf is practically the same, but changing IPs, etc ...
>
> Many thanks.

OOps sorry. I have found the problem with RULE_PATH. All rules needs to 
be defined on prod_ids.conf and mgmt_ids.conf ...

But another problem appears:

FATAL ERROR: /data/config/etc/snort-common/rules/all.rules(50) Please 
enable the HTTP Inspect preprocessor before using the http content modifiers

Do I need to define all preprocessors under secondary configuration 
files: prod_ids.conf and mgmt_ids.conf??


-- 
CL Martinez
carlopmart {at} gmail {d0t} com

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users