Re: Rule IP addr (!192.168.1.1) didn't x-late, WTF?

[Martin Roesch <roesch () sourcefire com>]

Don't start it in daemon mode until you can run it in non-daemon mode
first.  Then you'll see any other error messages Snort may be firing off
that don't get sent to syslog.  Try that and let us know if it's giving
you any error messages at the command line.  BTW, what command line
switches are you using?

    -Marty

Cameron Just wrote:
> Yeah just tried it without quotes and again it's a little better.
> Here is the current setup
>
> var HOME_NET 192.168.1.1/32
> var EXTERNAL_NET any
> var DNS_SERVERS [61.9.208.13/32,61.9.208.16/32,24.192.1.30/32]
>
> giving the following /var/log/messages/
>
> Jun 27 17:03:30 phoenix snort: Initializing daemon mode
> Jun 27 17:03:30 phoenix kernel: eth1: Setting promiscuous mode.
> Jun 27 17:03:30 phoenix kernel: device eth1 entered promiscuous mode
> Jun 27 17:03:31 phoenix snortd: snort startup succeeded
> Jun 27 17:03:31 phoenix kernel: device eth1 left promiscuous mode
>
> Then snort just dies
>
> Still not sure of the problem??????
> I have also changed
> var HOME_NET 192.168.1.1/32
> to be my IP given to me by my ISP
> Still no luck
>
> At 04:55 PM 27/06/01, you wrote:
> > None of my configs have quotes.  I am using snort from CVS, so I am not sure
> > what older versions need.
> >
> > Have you tried it without quotes?
> >
> > var HOME_NET 192.168.1.1/32
> >
> > Jason Lewis
> > http://www.packetnexus.com
> > It's not secure "Because they told me it was secure".
> > The people at the other end of the link know less
> > about security than you do. And that's scary.
> >
> >
> >
> > -----Original Message-----
> > From: Cameron Just [mailto:phoenix () veto cx]
> > Sent: Wednesday, June 27, 2001 2:46 AM
> > To: jlewis () jasonlewis net
> > Cc: Snort-users () lists sourceforge net
> > Subject: RE: [Snort-users] Rule IP addr (!192.168.1.1) didn't x-late,
> > WTF?
> >
> >
> > Hi,
> >
> > This slightly fixed the problem but snort will still not start?
> > here is my error messages
> >
> > Jun 27 16:44:20 phoenix snort: Initializing daemon mode
> > Jun 27 16:44:20 phoenix kernel: eth1: Setting promiscuous mode.
> > Jun 27 16:44:20 phoenix kernel: device eth1 entered promiscuous mode
> > Jun 27 16:44:20 phoenix snort: ERROR /etc/snort/snort.conf (7) => Rule
> > netmask (32") didn't x-late, WTF?
> > Jun 27 16:44:20 phoenix kernel: device eth1 left promiscuous mode
> > Jun 27 16:44:20 phoenix snortd: snort startup succeeded
> >
> > Here are the first few lines of my snort.conf file
> >
> > var HOME_NET "192.168.1.1/32"
> > var EXTERNAL_NET any
> > var DNS_SERVERS
> > [192.168.1.1/32,61.9.208.13/32,61.9.208.16/32,24.192.1.30/32]
> >
> > Am I right in assuming the HOME_NET variable is the IP of the machine with
> > snort running?
> > Becuase That is the IP address of the machine from inside the firewall.
> > I can't understand what is going wrong.
> >
> >
> > At 08:59 AM 27/06/01, you wrote:
> > > Quotes....
> > >
> > > var HOME_NET "192.168.1.1"/32
> > >
> > > Change that to
> > >
> > > var HOME_NET "192.168.1.1/32"
> > >
> > > Jason Lewis
> > > http://www.packetnexus.com
> > > It's not secure "Because they told me it was secure".
> > > The people at the other end of the link know less
> > > about security than you do. And that's scary.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: snort-users-admin () lists sourceforge net
> > > [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Cameron
> > > Just
> > > Sent: Tuesday, June 26, 2001 6:28 PM
> > > To: Snort-users () lists sourceforge net
> > > Subject: [Snort-users] Rule IP addr (!192.168.1.1) didn't x-late, WTF?
> > >
> > >
> > > Hi,
> > >
> > > Anyone know how to fix this problem on a Redhat 6.2 Machine with the latest
> > > Snort installed.
> > >
> > > Here is the /var/log/messages info
> > >
> > > Jun 26 13:01:51 him snort: Initializing daemon mode
> > > Jun 26 13:01:51 him kernel: eth0: Setting promiscuous mode.
> > > Jun 26 13:01:51 him kernel: device eth0 entered promiscuous mode
> > > Jun 26 13:01:51 him snort: ERROR /etc/snort/base.conf (8) => Rule IP addr
> > > (!192.168.1.1) didn't x-late, WTF?
> > > Jun 26 13:01:51 him kernel: device eth0 left promiscuous mode
> > > Jun 26 13:01:51 him snort: snort startup succeeded.
> > >
> > >
> > > This is the line it is dying on in my snort.conf
> > >
> > > var HOME_NET "192.168.1.1"/32
> > >
> > > I can't find anything in the FAQs and founf this problem on the Mailing
> > > lists but there was never any answer......
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > ****************************************************************
> > Cameron Just (C.Just () phoenixdigital com)
> >
> > Phoenix Digital Development
> > ****************************************************************
>
> ****************************************************************
> Cameron Just (C.Just () phoenixdigital com)
>
> Phoenix Digital Development
> ****************************************************************
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users