Re: Snort message: Unable to create an IPSet from any ... ?

[James Sinnamon <jaymz () bigpond net au>]

Paul,

Firstly, thanks for the reply and your interest.

On Tue, 15 Jun 2004 12:47 pm, you wrote:
> --On Tuesday, June 15, 2004 10:48 AM +1000 James Sinnamon
<snip/>
> > My output from:
> >
> >   snort -c /etc/snort/snort.conf
> >
> > ( see http://users.bigpond.net.au/jaymz/snort.out.txt )
> >
> > ... finishes with :
> >
> > /etc/snort/snort.conf(390) Unable to create an IPSet from any
>
> You have:
> var HOME_NET any
> var EXERNAL_NET !$HOME_NET
>
> So, think about this for a moment.  If HOME_NET is any IP address, what the
> heck is !$HOME_NET?  NOT ANY?  NONE?
>
> You could make EXTERNAL_NET any, but you can't make it NOT ANY.

Looks like I should be able to get it working soon, thanks.

> What do you want your rules to do?  Show you traffic coming in to your
> network?  Out of your network?  Don't care?

I was basically starting with the defaults from the debian package. I hoped
to be able to make some sense of the output, and, from there, start tweaking
with the config files, but I clearly had not even made it to first base.

I am relatively new to firewalling and computer security, although I have
dabbled in it before.

I am trying to set up a cable modem connected server 24 hours per day, 
7 days per week.  There is a (firehol) firewall in  place.  I want to allow 
access to a few services:  https, http/cgi, http/php, http/java, plone, smtp, 
mailman, sshd, etc, so  I would like to be aware of any attempts by anyone
out there to use access to these services to hack into my server.

There is also a small nat'd network here consisting of a desktop 
'development' machine and a laptop as well as the firewall/server.  Of 
course, snort will only be interested in what is coming down through the
cable modem and eth0.

(I am hopeful that it may be possible to be alerted to any patterns of
threatening probes by having a text message sent to my mobile phone, 
but that is something I will need to ask of users in Australia, maybe at
http://forums.whirlpool.net.au. )

> BTW, thank you VERY much for posting URLs to your snort.conf file instead
> of posting the *entire* file here.  

Glad to know that it's appreciated.  I didn't want to have to add
unnecessarily to google's work load.  The plone and zope IRC forums 
use a server to which config files can be pasted temporarilly.

> BTW, as an alternative, you *could* use
> "grep -v "#" snort.conf > snort.conf.list which would create a file that
> only has your configuration without any of the comment lines.

Thanks for the the suggestion.

Best regards,

James

-- 
James Sinnamon
jaymz at bigpond net auStralia
+61 412 319669, +61 2 95692123
http://www.australianvisions.com.au/Members/james


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users