Snort mailing list archives

RE: HOME_NET var on snort.conf

From: Michael Boman <mboman () gentoo org>
Date: Tue, 23 Mar 2004 11:07:44 +0800

On Sun, 2003-03-23 at 07:56, pfeito wrote:

Forget! It's not possible to remove $HOME_NET from snort.conf, it breaks a
lot of things and snort refuses to start. Right know I really don't know how
to deal with this problem...


from snort(8) manual page:
-S variable=value

Set  variable  name  "variable"  to  value "value".  This is useful for
setting the value of a defined variable name in a Snort rules file to a
command line specified value.  For instance, if you define a HOME_NET
variable name inside of a Snort rules file, you can set this value from
it's predefined value at the command line.

So:

snort -S HOME_NET=$MYIP <other options>

but $<iface>_ADDRESS works for me. Of course it doesn't work if you
specify wrong interface, or if the interface doesn't have an IP address
assigned to it.

-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-
admin () lists sourceforge net] On Behalf Of pfeito
Sent: segunda-feira, 22 de Março de 2004 20:52
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] HOME_NET var on snort.conf

That is weird, if it does not know what $<interface>_ADDRESS is, why does
the default snort.conf provided in snort src 2.1.1 have the following
lines?

# You can specify it explicitly as:
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which
# you run snort at.

Why mention it if it doesnt exists?

Anyway I looked at snorts manual and it seems that I'll be able to hack it
like this:
- Change /etc/init.d/snort
- Add this to the beginning of /etc/init.d/snort
  MYIP=`ifconfig eth2 | grep 'inet addr:' | cut -d ':' -f2 | cut -d ' ' -
f1`
- Change the line that invokes snort

In my case from:
$SNORT_PATH/snort -c $CONFIG -i $IFACE -g $SNORT_GID $OPTIONS

To:
$SNORT_PATH/snort -c $CONFIG -i $IFACE -h $MYIP/32 -g $SNORT_GID $OPTIONS

That seems to be working great. Of course the script must be invoked
everytime the IP changes, but its not so difficult to write or reuse a
perl
script (for instance) to dynamically stop/start snort if the IP changes.

-----Original Message-----
From: neil [mailto:neil () bellsimons com]
Sent: segunda-feira, 22 de Março de 2004 13:05
To: pfeito
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] HOME_NET var on snort.conf

The variable does not exist within the file, your asking it to do
something it doesn't know how to do.

Your going to have to do some hacking to get the snort.conf to parse the
ip address for you.

Maybe this will help you a little:

#!/usr/bin/perl
#Roxcor Tech / www.pheusion.com / IPparse.pl

$interface="eth0";
# path to ifconfig

$ifconfig="/sbin/ifconfig";

@lines=qx|$ifconfig $interface| or die("Can't get info from ifconfig:
".$!);

        foreach(@lines){
        if(/inet addr:([\d.]+)/){
                print "$1\n";
        }
}

On Sun, 2004-03-21 at 21:00, pfeito wrote:

Hi!

 In snort.conf, I have HOME_NET var set like this:

var HOME_NET $eth1_ADDRESS

I start snort, but it does not start. In /var/log/messages I get the
following information:

Mar 22 01:44:01 snortbox snort: FATAL ERROR: Undefined variable name:
(/etc/snort/snort.conf:46): eth1_ADDRESS
Mar 22 01:44:01 snortbox kernel: device eth1 left promiscuous mode

I have to set the IP address of the box manually, but this IP address

is

assigned by my ISP, so it would be much better if "var HOME_NET
$eth1_ADDRESS" method worked!

An excerpt from my snort.conf:

###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect your local

network.

The

# variable is currently setup for an RFC 1918 address space.
#
# You can specify it explicitly as:
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which

you

run
# snort at.  Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
# var HOME_NET any

#var HOME_NET $eth1_ADDRESS <----ERROR
var HOME_NET YYY.YYY.YYY.YYY/32 #obscured my current IP address

Im running snort 2.1.1 on Fedora Core 1.
What could be wrong? Any ideas ?

-- 
Michael Boman
Gentoo NetMon Team Lead | Developer, Hardened Gentoo Linux
http://www.gentoo.org   | http://dev.gentoo.org/~mboman

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

RE: Exhausted - SNORT not logging to MySQL database, (continued)
- RE: Exhausted - SNORT not logging to MySQL database Michael Steele (Mar 20)
  - Promiscuous Mode pfeito (Mar 20)
    - Re: Promiscuous Mode Paul Schmehl (Mar 20)
    - RE: Promiscuous Mode pfeito (Mar 21)
    - RE: Promiscuous Mode Paul Schmehl (Mar 21)
    - HOME_NET var on snort.conf pfeito (Mar 21)
    - Re: HOME_NET var on snort.conf Paul Schmehl (Mar 21)
    - Re: HOME_NET var on snort.conf neil (Mar 22)
    - RE: HOME_NET var on snort.conf pfeito (Mar 22)
    - RE: HOME_NET var on snort.conf pfeito (Mar 22)
    - RE: HOME_NET var on snort.conf Michael Boman (Mar 22)
    - RE: HOME_NET var on snort.conf pfeito (Mar 25)
- RE: Exhausted - SNORT not logging to MySQL database Mark E. Donaldson (Mar 20)