Snort mailing list archives
Re: Snort message: Unable to create an IPSet from any ... ?
From: James Sinnamon <jaymz () bigpond net au>
Date: Tue, 15 Jun 2004 13:35:14 +1000
Paul, Firstly, thanks for the reply and your interest. On Tue, 15 Jun 2004 12:47 pm, you wrote:
--On Tuesday, June 15, 2004 10:48 AM +1000 James Sinnamon
<snip/>
My output from: snort -c /etc/snort/snort.conf ( see http://users.bigpond.net.au/jaymz/snort.out.txt ) ... finishes with : /etc/snort/snort.conf(390) Unable to create an IPSet from anyYou have: var HOME_NET any var EXERNAL_NET !$HOME_NET So, think about this for a moment. If HOME_NET is any IP address, what the heck is !$HOME_NET? NOT ANY? NONE? You could make EXTERNAL_NET any, but you can't make it NOT ANY.
Looks like I should be able to get it working soon, thanks.
What do you want your rules to do? Show you traffic coming in to your network? Out of your network? Don't care?
I was basically starting with the defaults from the debian package. I hoped to be able to make some sense of the output, and, from there, start tweaking with the config files, but I clearly had not even made it to first base. I am relatively new to firewalling and computer security, although I have dabbled in it before. I am trying to set up a cable modem connected server 24 hours per day, 7 days per week. There is a (firehol) firewall in place. I want to allow access to a few services: https, http/cgi, http/php, http/java, plone, smtp, mailman, sshd, etc, so I would like to be aware of any attempts by anyone out there to use access to these services to hack into my server. There is also a small nat'd network here consisting of a desktop 'development' machine and a laptop as well as the firewall/server. Of course, snort will only be interested in what is coming down through the cable modem and eth0. (I am hopeful that it may be possible to be alerted to any patterns of threatening probes by having a text message sent to my mobile phone, but that is something I will need to ask of users in Australia, maybe at http://forums.whirlpool.net.au. )
BTW, thank you VERY much for posting URLs to your snort.conf file instead of posting the *entire* file here.
Glad to know that it's appreciated. I didn't want to have to add unnecessarily to google's work load. The plone and zope IRC forums use a server to which config files can be pasted temporarilly.
BTW, as an alternative, you *could* use "grep -v "#" snort.conf > snort.conf.list which would create a file that only has your configuration without any of the comment lines.
Thanks for the the suggestion. Best regards, James -- James Sinnamon jaymz at bigpond net auStralia +61 412 319669, +61 2 95692123 http://www.australianvisions.com.au/Members/james ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort message: Unable to create an IPSet from any ... ? James Sinnamon (Jun 14)
- snort output: Unable to create an IPSet from any ... ? James Sinnamon (Jun 14)
- Re: Snort message: Unable to create an IPSet from any ... ? Paul Schmehl (Jun 14)
- <Possible follow-ups>
- Re: Snort message: Unable to create an IPSet from any ... ? James Sinnamon (Jun 14)
- updating rules bonnie buwono (Jun 15)
- Re: updating rules Andreas Östling (Jun 15)
- updating rules bonnie buwono (Jun 15)