Re: Snort message: Unable to create an IPSet from any ... ?

[Paul Schmehl <pauls () utdallas edu>]

--On Tuesday, June 15, 2004 10:48 AM +1000 James Sinnamon 
<jaymz () bigpond net au> wrote:

> Dear Snorters,
>
> My output from:
>
>   snort -c /etc/snort/snort.conf
>
> ( see http://users.bigpond.net.au/jaymz/snort.out.txt )
>
> ... finishes with :
>
> /etc/snort/snort.conf(390) Unable to create an IPSet from any

You have:
var HOME_NET any
var EXERNAL_NET !$HOME_NET

So, think about this for a moment.  If HOME_NET is any IP address, what the 
heck is !$HOME_NET?  NOT ANY?  NONE?

You could make EXTERNAL_NET any, but you can't make it NOT ANY.

What do you want your rules to do?  Show you traffic coming in to your 
network?  Out of your network?  Don't care?

BTW, thank you VERY much for posting URLs to your snort.conf file instead 
of posting the *entire* file here.  BTW, as an alternative, you *could* use 
"grep -v "#" snort.conf > snort.conf.list which would create a file that 
only has your configuration without any of the comment lines.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users