Snort mailing list archives
Re: Rule IP addr (!192.168.1.1) didn't x-late, WTF?
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 27 Jun 2001 09:06:04 -0400
Don't start it in daemon mode until you can run it in non-daemon mode first. Then you'll see any other error messages Snort may be firing off that don't get sent to syslog. Try that and let us know if it's giving you any error messages at the command line. BTW, what command line switches are you using? -Marty Cameron Just wrote:
Yeah just tried it without quotes and again it's a little better. Here is the current setup var HOME_NET 192.168.1.1/32 var EXTERNAL_NET any var DNS_SERVERS [61.9.208.13/32,61.9.208.16/32,24.192.1.30/32] giving the following /var/log/messages/ Jun 27 17:03:30 phoenix snort: Initializing daemon mode Jun 27 17:03:30 phoenix kernel: eth1: Setting promiscuous mode. Jun 27 17:03:30 phoenix kernel: device eth1 entered promiscuous mode Jun 27 17:03:31 phoenix snortd: snort startup succeeded Jun 27 17:03:31 phoenix kernel: device eth1 left promiscuous mode Then snort just dies Still not sure of the problem?????? I have also changed var HOME_NET 192.168.1.1/32 to be my IP given to me by my ISP Still no luck At 04:55 PM 27/06/01, you wrote:None of my configs have quotes. I am using snort from CVS, so I am not sure what older versions need. Have you tried it without quotes? var HOME_NET 192.168.1.1/32 Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: Cameron Just [mailto:phoenix () veto cx] Sent: Wednesday, June 27, 2001 2:46 AM To: jlewis () jasonlewis net Cc: Snort-users () lists sourceforge net Subject: RE: [Snort-users] Rule IP addr (!192.168.1.1) didn't x-late, WTF? Hi, This slightly fixed the problem but snort will still not start? here is my error messages Jun 27 16:44:20 phoenix snort: Initializing daemon mode Jun 27 16:44:20 phoenix kernel: eth1: Setting promiscuous mode. Jun 27 16:44:20 phoenix kernel: device eth1 entered promiscuous mode Jun 27 16:44:20 phoenix snort: ERROR /etc/snort/snort.conf (7) => Rule netmask (32") didn't x-late, WTF? Jun 27 16:44:20 phoenix kernel: device eth1 left promiscuous mode Jun 27 16:44:20 phoenix snortd: snort startup succeeded Here are the first few lines of my snort.conf file var HOME_NET "192.168.1.1/32" var EXTERNAL_NET any var DNS_SERVERS [192.168.1.1/32,61.9.208.13/32,61.9.208.16/32,24.192.1.30/32] Am I right in assuming the HOME_NET variable is the IP of the machine with snort running? Becuase That is the IP address of the machine from inside the firewall. I can't understand what is going wrong. At 08:59 AM 27/06/01, you wrote:Quotes.... var HOME_NET "192.168.1.1"/32 Change that to var HOME_NET "192.168.1.1/32" Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Cameron Just Sent: Tuesday, June 26, 2001 6:28 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] Rule IP addr (!192.168.1.1) didn't x-late, WTF? Hi, Anyone know how to fix this problem on a Redhat 6.2 Machine with the latest Snort installed. Here is the /var/log/messages info Jun 26 13:01:51 him snort: Initializing daemon mode Jun 26 13:01:51 him kernel: eth0: Setting promiscuous mode. Jun 26 13:01:51 him kernel: device eth0 entered promiscuous mode Jun 26 13:01:51 him snort: ERROR /etc/snort/base.conf (8) => Rule IP addr (!192.168.1.1) didn't x-late, WTF? Jun 26 13:01:51 him kernel: device eth0 left promiscuous mode Jun 26 13:01:51 him snort: snort startup succeeded. This is the line it is dying on in my snort.conf var HOME_NET "192.168.1.1"/32 I can't find anything in the FAQs and founf this problem on the Mailing lists but there was never any answer...... _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users**************************************************************** Cameron Just (C.Just () phoenixdigital com) Phoenix Digital Development ******************************************************************************************************************************** Cameron Just (C.Just () phoenixdigital com) Phoenix Digital Development **************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule IP addr (!192.168.1.1) didn't x-late, WTF? Cameron Just (Jun 26)
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Jason Lewis (Jun 26)
- Re: Rule IP addr (!192.168.1.1) didn't x-late, WTF? HABU Takuya (Jun 26)
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Cameron Just (Jun 27)
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Jason Lewis (Jun 27)
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Cameron Just (Jun 27)
- Message not available
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Cameron Just (Jun 27)
- Re: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Martin Roesch (Jun 27)
- Re: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Phil Wood (Jun 27)
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Jason Lewis (Jun 26)
- <Possible follow-ups>
- RE: Rule IP addr (!192.168.1.1) didn't x-late, WTF? Johnson, David (Jun 27)