Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: [Snort-users] Failed to parse the IP address: $HOME_NET
1,114 views
Skip to first unread message
Lay, James
Aug 16, 2012, 4:10:05 PM8/16/12
to
-----Original Message-----
From: Chiesa Stefano [mailto:Stefano...@wki.it]
Sent: Thursday, August 16, 2012 9:32 AM
To: snort...@lists.sourceforge.net
Subject: [Snort-users] Failed to parse the IP address: $HOME_NET
<snip>
ERROR: /etc/snort/../rules/snort.rules(7073) !any is not allowed:
!$HOME_NET.
Fatal Error, Quitting..
+++++++++++++++++++++++++++++++++++++++++++++++++++
I understood I have to configure the HOME_NET variable (I have almost
all the variables at the "any" value).
But, and this is the main problem, no matter what I write to configure
the variable I always get an error.
ipvar H0ME_NET 212.239.x.x/25 w/o brackets
ipvar H0ME_NET [212.239.x.x/25] w/ brackets
ipvar H0ME_NET [172.16.40.111] w/ single internal address
using 'ipvar' or simply 'var' I get these errors:
[root@s-dr-snort ~]# /usr/sbin/snort -T -d -i eth0 -u snort -g snort -c
/etc/snort/snort.conf -l /home/snort/log/eth0
Running in Test mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
ERROR: /etc/snort/snort.conf(55) Failed to parse the IP address:
$HOME_NET.
Fatal Error, Quitting..
<snip>
Stefano,
Can we see the first say...20 lines of your snort.conf? Thanks.
James
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Joel Esler
Aug 16, 2012, 4:47:47 PM8/16/12
to
Or, you know, line 55.--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
Dave Venman
Aug 16, 2012, 5:49:09 PM8/16/12
to
Hmmm. See inline below with >>>>
--
Dave Venman,
Security Engineer Manager, Sourcefire EMEA
Email: dave dot venman at sourcefire dot .com
On 16 August 2012 16:32, Chiesa Stefano <Stefano...@wki.it> wrote:
Hello all.
I'm a newbie in Linux system management and is the first time I install
snort (barnyard2, snorby) and I need a help.
Everything is working quite fine at the moment, but I want to go ahead
and I'm facing a problem.
These are the details:
CentOS release 6.3 (Final)
Linux s-dr-snort 2.6.32-279.2.1.el6.x86_64 #1 SMP Fri Jul 20 01:55:29
UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@s-dr-snort ~]# /usr/sbin/snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.2.3 IPv6 GRE (Build 205)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.3.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Rules updated every night via Pulledpork.
As a result I have a single rules file snort.rules.
I inseted the include statement in the snort.conf file:
include $RULE_PATH/snort.rules
and disabled all other include lines.
This is the error:
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
WARNING: /etc/snort/../rules/snort.rules(12) threshold (in rule) is
deprecated; use detection_filter instead.
ERROR: /etc/snort/../rules/snort.rules(7073) !any is not allowed:
!$HOME_NET.
Fatal Error, Quitting..
+++++++++++++++++++++++++++++++++++++++++++++++++++
I understood I have to configure the HOME_NET variable (I have almost
all the variables at the "any" value).
But, and this is the main problem, no matter what I write to configure
the variable I always get an error.
ipvar H0ME_NET 212.239.x.x/25 w/o brackets
ipvar H0ME_NET [212.239.x.x/25] w/ brackets
ipvar H0ME_NET [172.16.40.111] w/ single internal address
>>>> Have you pasted those lines from your snort.conf ?
>>>>
>>>> If so, is it H <capital O> ME_NET or H <zero> ME_NET ?
>>>>
>>>> HOME_NET compared to H0ME_NET ?
using 'ipvar' or simply 'var' I get these errors:
[root@s-dr-snort ~]# /usr/sbin/snort -T -d -i eth0 -u snort -g snort -c
/etc/snort/snort.conf -l /home/snort/log/eth0
Running in Test mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
ERROR: /etc/snort/snort.conf(55) Failed to parse the IP address:
$HOME_NET.
Fatal Error, Quitting..
(the line #55 is the first one that tries to use the variable: ipvar
DNS_SERVERS $HOME_NET
I read a number of post everywhere but I didn't find a solution.
Can someone help me?
Thanks in advance.
Stefano.
----------------------------------------
Stefano Chiesa
Wolters Kluwer Italia
Strada 1, Palazzo F6
20090 Milanofiori Assago (Mi) - Italia
Phone +39 0282476279 (20279 Voip)
Fax +39 0282476815
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Dave Venman,
Security Engineer Manager, Sourcefire EMEA
Email: dave dot venman at sourcefire dot .com
Craft, Robert
Aug 16, 2012, 2:35:59 PM8/16/12
to
Here's the entry from my snort.conf:
# Setup the network addresses you are protecting
ipvar HOME_NET [172.30.0.0/16,172.26.0.0/16,192.168.0.0/16]
And it looks like you have a 0 (zero) in the " ipvar H0ME_NET", but that may be in just your message.
I lost count of how many times I've had to redo the .conf files before things were running the way I wanted them to.
-----Original Message-----
From: Chiesa Stefano [mailto:Stefano...@wki.it]
Sent: Thursday, August 16, 2012 11:32 AM
To: snort...@lists.sourceforge.net
# Setup the network addresses you are protecting
ipvar HOME_NET [172.30.0.0/16,172.26.0.0/16,192.168.0.0/16]
And it looks like you have a 0 (zero) in the " ipvar H0ME_NET", but that may be in just your message.
I lost count of how many times I've had to redo the .conf files before things were running the way I wanted them to.
-----Original Message-----
From: Chiesa Stefano [mailto:Stefano...@wki.it]
Sent: Thursday, August 16, 2012 11:32 AM
To: snort...@lists.sourceforge.net
John Gay
Aug 16, 2012, 12:00:38 PM8/16/12
to
Try using an "O" in HOME_NET instead of a "0"
0 new messages