Re: Failed to parse the IP address: $HOME_NET

["Craft, Robert" <Robert.Craft () atlanticare org>]

Here's the entry from my snort.conf:

# Setup the network addresses you are protecting
ipvar HOME_NET [172.30.0.0/16,172.26.0.0/16,192.168.0.0/16]

And it looks like you have a 0 (zero) in the " ipvar H0ME_NET", but that may be in just your message.

I lost count of how many times I've had to redo the .conf files before things were running the way I wanted them to.

-----Original Message-----
From: Chiesa Stefano [mailto:Stefano.Chiesa () wki it] 
Sent: Thursday, August 16, 2012 11:32 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Failed to parse the IP address: $HOME_NET

Hello all.
I'm a newbie in Linux system management and is the first time I install snort (barnyard2, snorby) and I need a help.
Everything is working quite fine at the moment, but I want to go ahead and I'm facing a problem.


These are the details:

CentOS release 6.3 (Final)
Linux s-dr-snort 2.6.32-279.2.1.el6.x86_64 #1 SMP Fri Jul 20 01:55:29 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

[root@s-dr-snort ~]# /usr/sbin/snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2.3 IPv6 GRE (Build 205)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.3.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

Rules updated every night via Pulledpork.
As a result I have a single rules file snort.rules.
I inseted the include statement in the snort.conf file: 

include $RULE_PATH/snort.rules

and disabled all other include lines.

This is the error:

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
WARNING: /etc/snort/../rules/snort.rules(12) threshold (in rule) is deprecated; use detection_filter instead.

ERROR: /etc/snort/../rules/snort.rules(7073) !any is not allowed:
!$HOME_NET.
Fatal Error, Quitting..
+++++++++++++++++++++++++++++++++++++++++++++++++++

I understood I have to configure the HOME_NET variable (I have almost all the variables at the "any" value).
But, and this is the main problem, no matter what I write to configure the variable I always get an error.

ipvar H0ME_NET 212.239.x.x/25           w/o brackets
ipvar H0ME_NET [212.239.x.x/25] w/ brackets
ipvar H0ME_NET [172.16.40.111] w/ single internal address

using 'ipvar' or simply 'var' I get these errors:

[root@s-dr-snort ~]# /usr/sbin/snort -T -d -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /home/snort/log/eth0 
Running in Test mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
ERROR: /etc/snort/snort.conf(55) Failed to parse the IP address:
$HOME_NET.
Fatal Error, Quitting..

(the line #55 is the first one that tries to use the variable: ipvar DNS_SERVERS $HOME_NET

I read a number of post everywhere but I didn't find a solution.
Can someone help me?

Thanks in advance.

Stefano.


----------------------------------------
Stefano Chiesa
Wolters Kluwer Italia
Strada 1, Palazzo F6
20090 Milanofiori Assago (Mi) - Italia
Phone +39 0282476279 (20279 Voip)
Fax +39 0282476815


 

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!