Snort mailing list archives
Re: Vision rules EXTERNAL/EXTERNAL_NET
From: Phil Wood <cpw () lanl gov>
Date: Wed, 16 May 2001 15:08:04 -0600
On Wed, May 16, 2001 at 03:03:34PM -0500, Andy Bach wrote:
Hi Folks, Just trying the vision.rules for the first time and I had to add: var INTERNAL $HOME_NET var EXTERNAL $EXTERNAL_NET after the original defs to keep all the rules working - is this normal? I'm also getting: May 16 14:51:01 pmwiwb snort: ERROR vision.rules (1) => Invalid CIDR block for IP addr 1024:
This is the result of $EXTERNAL being eq "" (nothing), so the port 1024 gets treated as an IP thingamabob. Take a close look at your configuration file and make sure that you have defined the various $variables like: var INTERNAL [192.168.0.0/24] var EXTERNAL !$INTERNAL There could be other variables defined in your rules such as SMTP or DNS_SERVERS, etc. It's an iterative process, until you find all the things that need to be defined.
(rule 1): alert TCP $EXTERNAL 1024: -> $INTERNAL 2589 (msg: "IDS483/trojan-dagger_1.4.0_client_connect"; flags: A+; content: "|0b 00 00 00 07 00 00 00|Connect"; depth: 16;) Is that because I'm using the: var HOME_NET $eth0_ADDRESS format? The snort rules all worked fine - is there a standard story for using one set over the other? Thanks. a Andy Bach, Sys. Mgr Internet: andy () wiwb uscourts gov VOICE: (608) 264-5178 ex 5738, FAX 264-510 UNIX *is* user friendly. It is just a bit selective about her friends. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Vision rules EXTERNAL/EXTERNAL_NET Andy Bach (May 16)
- Re: Vision rules EXTERNAL/EXTERNAL_NET Phil Wood (May 16)
- <Possible follow-ups>
- RE: Vision rules EXTERNAL/EXTERNAL_NET Kevin Brown (May 16)