Snort mailing list archives

RE: Problems with HOME_NET and EXTERNAL_NET var's


From: "Gordon Cunningham" <gacunningham () bellsouth net>
Date: Sun, 31 Aug 2003 21:38:33 -0400

Are you on a switch, by any chance?  Your current settings should work, but
if you are on a switch, you'll only see traffic for that machine and
broadcasts.  Just comment out the X11 rule to see if you can get snort
running.

Also, referencing other variables needs the "$", as in:

var EXTERNAL_NET !$HOME_NET


- Gordon

"When I finally found a spam filter that worked, I no longer received ANY
email."

 -----Original Message-----
From:   snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]  On Behalf Of Lauts,
Anthony
Sent:   Sunday, August 31, 2003 12:19 PM
To:     'snort-users () lists sourceforge net'
Subject:        [Snort-users] Problems with HOME_NET and EXTERNAL_NET var's

I have set up and installed Snort and Acid on a RH9 box with a single NIC
using Patrick Harper's online Snort Installation Manual (Thanks Patrick)..
it looks like I have one last problem to overcome.

Everything loads fine, but I am not logging anything.  I have traced this
down to my snort.conf file and the EXTERNAL_NET and HOME_NET variables.  I
have tried every iteration of these (i.e., using $eth0_ADDRESS,
10.2.85.0/24, any) and still receive the following error when trying any of
the supplied rulesets:

_______________________start of snip_________________________________
# /usr/local/bin/snort -i eth0 -n 1 -c /etc/snort/x11.rules
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth0

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/x11.rules

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: Undefined variable name: (/etc/snort/x11.rules:8): EXTERNAL_NET
Fatal Error, Quitting..
_______________________end of snip_________________________________

My NET variables are currently defined as follows:


var HOME_NET 10.2.85.0/24
var EXTERNAL_NET any


I have even tried saying "!HOME_NET" for the EXTERNAL_NET var.

I also have to manually type in "ifconfig etho promisc" to get eth0 to enter
promiscuious mode after a restart of the box.

If anyone has any experience with this, it would b greatly appreciated.

Tony Lauts


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: