Snort mailing list archives
Re: Snort-users Digest, Vol 128, Issue 41
From: Eric Boettner <eric.boettner () gmail com>
Date: Thu, 19 Jan 2017 00:56:28 +0000 (UTC)
Unsubscribe Get Outlook for iOS On Wed, Jan 18, 2017 at 7:53 PM -0500, <snort-users-request () lists sourceforge net> wrote: Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: Snort Error (Paraskevas Lampadas) ---------------------------------------------------------------------- Message: 1 Date: Thu, 19 Jan 2017 02:49:17 +0200 From: Paraskevas Lampadas Subject: Re: [Snort-users] Snort Error To: "Al Lewis (allewi)" Cc: "snort-users () lists sourceforge net" Message-ID: Content-Type: text/plain; charset="utf-8" It looks to work fine now! Thanks a lot! ?? ????????, ???????? ????? *????????? ???????????? ?.?.* *Cisco Certified Network Associate* On Thu, Jan 19, 2017 at 2:35 AM, Al Lewis (allewi) wrote:
Same result. See attached. *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING SOURCE*fire*, Inc. now part of *Cisco* Email: allewi () cisco com From: Paraskevas Lampadas Date: Wednesday, January 18, 2017 at 7:25 PM To: allewi Cc: 'snort-users' , waldo kitty < wkitty42 () windstream net> Subject: Re: [Snort-users] Snort Error I'll check it, but as i see you are using snort 2.9.8.3. I am using latest, 2.9.9.0 i don't know if that changes anything ?? ????????, ???????? ????? *????????? ???????????? ?.?.* *Cisco Certified Network Associate* On Thu, Jan 19, 2017 at 2:22 AM, Al Lewis (allewi) wrote:See attached. I just tested it with the -T and it runs fine. This is the sample (trimmed down config I used with your variables). # Setup the network addresses you are protecting *ipvar HOME_NET 192.168.10.0/24 * # Set up the external network addresses. Leave as "any" in most situations *ipvar EXTERNAL_NET !$HOME_NET* preprocessor stream5_global: \ max_tcp 8192, \ track_tcp yes, \ track_udp yes, \ track_icmp no preprocessor stream5_tcp: preprocessor stream5_udp: preprocessor frag3_global: preprocessor frag3_engine: alert tcp HOME_NET any -> EXTERNAL_NET any ( msg:"test"; sid: 1000001; ) *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING SOURCE*fire*, Inc. now part of *Cisco* Email: allewi () cisco com From: Paraskevas Lampadas Date: Wednesday, January 18, 2017 at 7:13 PM To: allewi Cc: 'snort-users' , waldo kitty < wkitty42 () windstream net> Subject: Re: [Snort-users] Snort Error ?? ????????, ???????? ????? *????????? ???????????? ?.?.* *Cisco Certified Network Associate* On Thu, Jan 19, 2017 at 2:08 AM, Al Lewis (allewi) wrote:Please send a copy of your config. *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING SOURCE*fire*, Inc. now part of *Cisco* Email: allewi () cisco com From: Paraskevas Lampadas Date: Wednesday, January 18, 2017 at 7:06 PM To: allewi Cc: 'snort-users' , waldo kitty < wkitty42 () windstream net> Subject: Re: [Snort-users] Snort Error As I mentioned on my first message : Everything is fine except that i get alerts coming from my internal network as attacks, which are false alarms. On /etc/snort/snort.conf i have set the EXTERNAL NET as any. I tried to make as !$HOME NET, but then the snort fails to load at startup. If i change it back to any everything works fine. How else can i avoid receiving alerts from my internal network? ???? 19 ??? 2017 02:03, ? ??????? "Al Lewis (allewi)" ??????:Looks like you need to set EXTERNAL_NET to something. Take a look at the default config that comes with the download. cliffjumper$ less /var/tmp/snort-2.9.8.3/etc/snort.conf | grep EXTERNAL *ipvar EXTERNAL_NET any* *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING SOURCE*fire*, Inc. now part of *Cisco* Email: allewi () cisco com From: Paraskevas Lampadas Date: Wednesday, January 18, 2017 at 6:51 PM To: waldo kitty Cc: 'snort-users' Subject: Re: [Snort-users] Snort Error " FATAL ERROR: /etc/snort/snort.conf(48) Missing argument to EXTERNAL_NET" The exact error message ?? ????????, ???????? ????? *????????? ???????????? ?.?.* *Cisco Certified Network Associate* On Thu, Jan 19, 2017 at 1:43 AM, Paraskevas Lampadas < parislampadas () gmail com> wrote:FATAL ERROR variable EXTERNAL_NET not set, or something like that. ?? ????????, ???????? ????? *????????? ???????????? ?.?.* *Cisco Certified Network Associate* On Wed, Jan 18, 2017 at 4:02 AM, wrote:On 01/17/2017 04:37 PM, Paraskevas Lampadas wrote:I tried to make as !$HOME NET, but then the snort fails to load atstartup.If i change it back to any everything works fine. How else can i avoid receiving alerts from my internal network?what is the exact error message given at startup when you set EXTERNAL_NET to !HOME_NET?? -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 128, Issue 41 ********************************************
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 128, Issue 41 Eric Boettner (Jan 18)