RE: snort.conf and rules

["Bunter, Matthew" <Matthew.Bunter () cwcom cwplc com>]

Joshua et al,

Just put [] around the var $HOME_NET ip address and it seems to be working.
Now I'll have to send some traffic. I presume that doing attacks with
generate new files (I have done an nmap and it went to the portscan.log) or
does more need to be edited within snort.conf

Matt

> -----Original Message-----
> From: Joshua Wright [SMTP:Joshua.Wright () jwu edu]
> Sent: 15 May 2001 14:04
> To:   'Bunter, Matthew'
> Subject:      RE: [Snort-users] snort.conf and rules
>
> Typically, this error indicates that a variable is not set properly.  Make
> sure you have defined EXTERNAL and INTERNAL (as well as EXTERNAL_NET, and
> INTERNAL_NET).
>
> If you want to send me your complete snort.conf, I will check it out for
> you.
>
> -Joshua Wright
> Team Leader, Networks and Systems
> Johnson & Wales University
> Joshua.Wright () jwu edu 
> 401-598-1555
>
> -----Original Message-----
> From: Bunter, Matthew [mailto:Matthew.Bunter () cwcom cwplc com]
> Sent: Tuesday, May 15, 2001 8:19 AM
> To: Snort-Users (E-mail)
> Subject: [Snort-users] snort.conf and rules
>
>
> All,
>
> Still having problems getting snort started and would appreciate any help.
>
>
> using vision.rules (vision.rules.gz from whitehats)
> Snort 1.7
>
> Got my DNS boxes specified, no SMTP boxes on my segment (used nmap to
> verify), ignoring SQL boxes therefore commented out.
>
> Preprocessors :
> defrag
> http_decode: 80 8080
> portscan: $HOME_NET 4 3 /var/log/snort/portscan.log
> portscan-ignorehosts: $DNS_SERVERS
>
> Output 
> alert_syslog: LOG_AUTH LOG_ALERT - forgive my stupidity but does anything
> need to be done to syslog.conf? DO any files need to be touched before
> running snort?
>
> Rule Set
> include /etc/snort/Rules/vision.rules
> My local.rules is commented out. What sort of include/ignores do people
> have
> that isn't covered in the DNS, SQL, SMTP areas of snort.conf? Could anyone
> point me to an example local.rules file?
>
> With all the above I am getting error messages that tell me things are
> wrong
> with the rules e.g. vision.rules (1) => Invalid CIDR block for IP addr
> 1024
> :
> If I comment this out I then get Port value missing in rule for rule 2,
> same
> for rule 3. I'm just trying to get Snort working Please help - going
> crazy!
>
> Regards,
>
> Matt
>
> **********************************************************************
> This message may contain information which is confidential or privileged.
> If you are not the intended recipient, please advise the sender
> immediately
> by reply e-mail and delete this message and any attachments
> without retaining a copy.  
>
> **********************************************************************
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

**********************************************************************
This message may contain information which is confidential or privileged.
If you are not the intended recipient, please advise the sender immediately
by reply e-mail and delete this message and any attachments
without retaining a copy.  

**********************************************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users