Snort mailing list archives
Re: Brackets around 1st varible in snort.conf
From: John Sage <jsage () finchhaven com>
Date: Sun, 02 Sep 2001 10:50:43 -0700
Kari Suomela wrote:
Sunday September 02 2001 15:54, Randy wrote to All: R> "FATAL ERROR: ERROR /etc/snort/exploit.rules (6) => Rule IP addr R> ([nnn.nnn.nnn.0) didn't x-late, WTF?" R> I'm using this syntax "var HOME_NET R> [nnn.nnn.nnn.0/24,nnn.nnn.nnn.0/24] nnn.nnn.nnn.0 is not a valid IP - or range! ^
This, at least, is nonsense. That's standard CIDR notation.nnn.nnn.nnn.0 is a network address, which is just what you want to specify for HOME_NET...
Take 192.168.1.0/24 for example: Address: 192.168.1.0 11000000.10101000.00000001 .00000000 Netmask: 255.255.255.0 == 24 11111111.11111111.11111111 .00000000 =>Network: 192.168.1.0/24 11000000.10101000.00000001 .00000000 (Class C)
Broadcast: 192.168.1.255 11000000.10101000.00000001 .11111111 HostMin: 192.168.1.1 11000000.10101000.00000001 .00000001 HostMax: 192.168.1.254 11000000.10101000.00000001 .11111110 Hosts/Net: 254 (Private Internet) (Thanks to ipcalc -- see: http://jodies.de/ )Unfortunately, this doesn't answer the original question, because it looks like Randy has the syntax correctly:
From http://snort.sourcefire.com/docs/writing_rules/ :"...For example, the address/CIDR combination 192.168.1.0/24 would signify the block of addresses from 192.168.1.1 to 192.168.1.255. Any rule that used this designation for, say, the destination address would match on any address in that range. The CIDR designations give us a nice short-hand way to designate large address spaces with just a few characters.
..." "2.1.2 VariablesVariables may be defined in Snort. These are simple substitution variables set with the var keyword as in Figure 2.2.
Format var: <name> <value> var MY_NET [192.168.1.0/24,10.1.1.0/24] "
I've played with this for hours to no avail. Tried other variable names and substitutions, no joy. Multi CIDR sub-nets in HOME_NET worked fine in 1.7 Multi CIDR sub-nets work in all other variables in 1.8.1, except the 1st listed in snort.conf Only if I use a single non-bracketed value for the 1st variable, will snort run. Have I missed something?
Krikeys.. not that I can see. - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Brackets around 1st varible in snort.conf Randy (Sep 01)
- Brackets around 1st varible in snort.conf Kari Suomela (Sep 02)
- Re: Brackets around 1st varible in snort.conf John Sage (Sep 02)
- Re: Brackets around 1st varible in snort.conf Erek Adams (Sep 02)
- Re: Brackets around 1st varible in snort.conf John Sage (Sep 02)
- Again, bBrackets around 1st varible in snort.conf Randy (Sep 02)
- Re: Again, bBrackets around 1st varible in snort.conf Erek Adams (Sep 03)
- Again, bBrackets around 1st varible in snort.conf Randy (Sep 02)
- Brackets around 1st varible in snort.conf Kari Suomela (Sep 02)