Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users Digest, Vol 128, Issue 41

From: Eric Boettner <eric.boettner () gmail com>
Date: Thu, 19 Jan 2017 00:56:28 +0000 (UTC)
Unsubscribe 

Get Outlook for iOS




On Wed, Jan 18, 2017 at 7:53 PM -0500, <snort-users-request () lists sourceforge net> wrote:










Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim your response.

Today's Topics:

   1. Re: Snort Error (Paraskevas Lampadas)


----------------------------------------------------------------------

Message: 1
Date: Thu, 19 Jan 2017 02:49:17 +0200
From: Paraskevas Lampadas 
Subject: Re: [Snort-users] Snort Error
To: "Al Lewis (allewi)" 
Cc: "snort-users () lists sourceforge net"
        
Message-ID:
        
Content-Type: text/plain; charset="utf-8"

It looks to work fine now!
Thanks a lot!

?? ????????,

???????? ?????
*????????? ???????????? ?.?.*
*Cisco Certified Network Associate*

On Thu, Jan 19, 2017 at 2:35 AM, Al Lewis (allewi)  wrote:


Same result. See attached.

*Albert Lewis*

ENGINEER.SOFTWARE ENGINEERING

SOURCE*fire*, Inc. now part of *Cisco*

Email: allewi () cisco com

From: Paraskevas Lampadas 
Date: Wednesday, January 18, 2017 at 7:25 PM

To: allewi 
Cc: 'snort-users' , waldo kitty <
wkitty42 () windstream net>
Subject: Re: [Snort-users] Snort Error

I'll check it, but as i see you are using snort 2.9.8.3. I am using
latest, 2.9.9.0 i don't know if that changes anything

?? ????????,

???????? ?????
*????????? ???????????? ?.?.*
*Cisco Certified Network Associate*

On Thu, Jan 19, 2017 at 2:22 AM, Al Lewis (allewi) 
wrote:


See attached. I just tested it with the -T and it runs fine.


This is the sample (trimmed down config I used with your variables).


# Setup the network addresses you are protecting
*ipvar HOME_NET 192.168.10.0/24 *

# Set up the external network addresses. Leave as "any" in most situations
*ipvar EXTERNAL_NET !$HOME_NET*

preprocessor stream5_global: \
max_tcp 8192, \
track_tcp yes, \
track_udp yes, \
track_icmp no
preprocessor stream5_tcp:
preprocessor stream5_udp:

preprocessor frag3_global:
preprocessor frag3_engine:


alert tcp HOME_NET any -> EXTERNAL_NET any ( msg:"test"; sid: 1000001; )





*Albert Lewis*

ENGINEER.SOFTWARE ENGINEERING

SOURCE*fire*, Inc. now part of *Cisco*

Email: allewi () cisco com

From: Paraskevas Lampadas 
Date: Wednesday, January 18, 2017 at 7:13 PM

To: allewi 
Cc: 'snort-users' , waldo kitty <
wkitty42 () windstream net>
Subject: Re: [Snort-users] Snort Error



?? ????????,

???????? ?????
*????????? ???????????? ?.?.*
*Cisco Certified Network Associate*

On Thu, Jan 19, 2017 at 2:08 AM, Al Lewis (allewi) 
wrote:


Please send a copy of your config.

*Albert Lewis*

ENGINEER.SOFTWARE ENGINEERING

SOURCE*fire*, Inc. now part of *Cisco*

Email: allewi () cisco com

From: Paraskevas Lampadas 
Date: Wednesday, January 18, 2017 at 7:06 PM
To: allewi 
Cc: 'snort-users' , waldo kitty <
wkitty42 () windstream net>

Subject: Re: [Snort-users] Snort Error

As I mentioned on my first message :

Everything is fine except that i get alerts coming from my internal
network as attacks, which are false alarms. On /etc/snort/snort.conf i have
set the EXTERNAL NET as any.

I tried to make as !$HOME NET, but then the snort fails to load at
startup. If i change it back to any everything works fine.

How else can i avoid receiving alerts from my internal network?

???? 19 ??? 2017 02:03, ? ??????? "Al Lewis (allewi)" 
??????:


Looks like you need to set EXTERNAL_NET to something.

Take a look at the default config that comes with the download.


cliffjumper$ less /var/tmp/snort-2.9.8.3/etc/snort.conf | grep EXTERNAL
*ipvar EXTERNAL_NET any*

*Albert Lewis*

ENGINEER.SOFTWARE ENGINEERING

SOURCE*fire*, Inc. now part of *Cisco*

Email: allewi () cisco com

From: Paraskevas Lampadas 
Date: Wednesday, January 18, 2017 at 6:51 PM
To: waldo kitty 
Cc: 'snort-users' 
Subject: Re: [Snort-users] Snort Error

" FATAL ERROR: /etc/snort/snort.conf(48) Missing argument to
EXTERNAL_NET"

The exact error message

?? ????????,

???????? ?????
*????????? ???????????? ?.?.*
*Cisco Certified Network Associate*

On Thu, Jan 19, 2017 at 1:43 AM, Paraskevas Lampadas <
parislampadas () gmail com> wrote:


FATAL ERROR variable EXTERNAL_NET not set, or something like that.

?? ????????,

???????? ?????
*????????? ???????????? ?.?.*
*Cisco Certified Network Associate*

On Wed, Jan 18, 2017 at 4:02 AM,  wrote:


On 01/17/2017 04:37 PM, Paraskevas Lampadas wrote:

I tried to make as !$HOME NET, but then the snort fails to load at

startup.

If i change it back to any everything works fine.

How else can i avoid receiving alerts from my internal network?


what is the exact error message given at startup when you set
EXTERNAL_NET to
!HOME_NET??

--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!











-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 128, Issue 41
********************************************






------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: