Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Problems with HOME_NET and EXTERNAL_NET var's

From: "Lauts, Anthony" <tlauts () twtr com>
Date: Sun, 31 Aug 2003 22:24:28 -0400
Thanks for the reply Gary.

  Yes, I am on an Extreme switch, but I have port mirroring set up.  I have
tested it with ethereal and am seeing packets that snort should be catching.
It should still see packets that I am attacking that particular IP address
with.

  That was also a typo in my message forgetting to put the $ when
referencing !$HOME_NET.  I did try that also.

  I get the same error no matter what ruleset I attempt to run
"ERROR: Undefined variable name: (/etc/snort/*****.rule:#): EXTERNAL_NET"

  I have read pretty much every forum I could find, even bought the book
from Syngress adn read it cover to cover.  Wondering if this isn't more of a
Linux environment issue instead of a SNORT configuration problem.

  Any other ideas?  I am sure it is something that I am just overlooking (my
brain is fried from running around fixing windows machines from the Welchi
worm all week!)

Thanks,
    Tony


-----------------------------------------
 Are you on a switch, by any chance?  Your current settings should work, but
 if you are on a switch, you'll only see traffic for that machine and
 broadcasts.  Just comment out the X11 rule to see if you can get snort
 running.
 
 Also, referencing other variables needs the "$", as in:
 
 var EXTERNAL_NET !$HOME_NET
 
 
 - Gordon
 
 "When I finally found a spam filter that worked, I no longer received ANY
 email."


-----Original Message-----
From: Lauts, Anthony
To: 'snort-users () lists sourceforge net'
Sent: 8/31/2003 12:18 PM
Subject: Problems with HOME_NET and EXTERNAL_NET var's

I have set up and installed Snort and Acid on a RH9 box with a single
NIC using Patrick Harper's online Snort Installation Manual (Thanks
Patrick).. it looks like I have one last problem to overcome.

Everything loads fine, but I am not logging anything.  I have traced
this down to my snort.conf file and the EXTERNAL_NET and HOME_NET
variables.  I have tried every iteration of these (i.e., using
$eth0_ADDRESS, 10.2.85.0/24, any) and still receive the following error
when trying any of the supplied rulesets:

_______________________start of snip_________________________________
# /usr/local/bin/snort -i eth0 -n 1 -c /etc/snort/x11.rules 
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth0

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/x11.rules

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: Undefined variable name: (/etc/snort/x11.rules:8): EXTERNAL_NET
Fatal Error, Quitting..
_______________________end of snip_________________________________

My NET variables are currently defined as follows:


var HOME_NET 10.2.85.0/24
var EXTERNAL_NET any


I have even tried saying "!HOME_NET" for the EXTERNAL_NET var.

I also have to manually type in "ifconfig etho promisc" to get eth0 to
enter promiscuious mode after a restart of the box.

If anyone has any experience with this, it would b greatly appreciated.

Tony Lauts


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: