Snort mailing list archives

Re: Snort Rule generating snort.u2 zero (the use of variables indeed)

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 5 Jun 2015 16:16:41 +0000

How are you getting traffic into snort? Span or inline?

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Marcio Guerreiro [mailto:marcio.guerreiro () hotmail co uk]
Sent: Friday, June 05, 2015 11:10 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort Rule generating snort.u2 zero (the use of variables indeed)

Hi all

I am having a few problems I hope you guys can give some help..

My local network is 192.168.1.0 /255.255.255.0
My SNORT is 192.168.1.77
My other computer is 192.168.1.91 (the one I want to verify the traffic)

I have this configured the my SNORT exactly as explained here (Snort 2.9.7.x on Ubuntu 12 and 14 - january 14, 2015)

https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/065/original/Snort_2.9.7.x_on_Ubuntu_12_and_14.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1433449928&Signature=F6qYm%2FKUxzC7mHTkak%2BR5knCR%2Bw%3D

I inserted that rule…  alert icmp any any -> 192.168.1.0/24  any (msg:"ICMP test"; sid:10000001; rev:001;) that 
generates alerts normally. I also can see on BASE web interface. All files snort.u2 are created normally.


However when I try to insert (local.rules)  the rule alert tcp 192.168.1.91/32 any ->  ![192.168.1.0/24] 80 (msg:"TCP 
attempt";sid:10000002;rev:002;) it starts to generate snort.u2 files in blank.     My intention is to log/alert all 
http access from that computer 192.168.1.91 except my internal network)


[cid:image001.png@01D09F89.780D0700]

The same problem is happening if I try to use variables $HOME_NET or EXTERNAL_NET in my local.rules.


To try to solve the problem related to the variables I found this article 
http://ubuntuforums.org/showthread.php?t=2090342 explaining …” In your snort.conf file in the section toward the top 
where you define network variables (HOME_NET, etc.) does it say "ipvar" or "var"? If you are using IPv4 and not IPv6 
you'll need to make sure it says "var" because otherwise it won't get parsed right” however it did not worked I changed 
from…


[cid:image002.png@01D09F89.780D0700]

to


[cid:image003.png@01D09F89.780D0700]

Can someone help me ? I am really stuck here !!!

Thank you in advance

Marcio Guerreiro

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort Rule generating snort.u2 zero (the use of variables indeed) Marcio Guerreiro (Jun 05)
- Re: Snort Rule generating snort.u2 zero (the use of variables indeed) Al Lewis (allewi) (Jun 05)