dns server problem in the snort.conf

[Mark Bose]

Hi,
Modified my snort.conf to include our dns servers and got an error so
I set them back to the default values.
any ides on what the system does not like?
Thanks,
Mark

(values in snort.conf)

# Set up the external network addresses. Leave as "any" in most
situations
ipvar EXTERNAL_NET any

# List of DNS servers on your network
ipvar DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
ipvar SMTP_SERVERS $HOME_NET

Error I am getting when updating pulled pork


Checking latest MD5 for snortrules-snapshot-2920.tar.gz....
They Match
Done!
Prepping rules from snortrules-snapshot-2920.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
An error occurred: ERROR: /etc/snort/snort.conf(51) Missing
argument to DNS_SERVERS

An error occurred: Fatal Error, Quitting..

Done

[Scott Runnels]

If I'm not mistaken you want to provide actual addresses of the DNS servers you use. 

Also, make sure you have a definition for HOME_NET.

v/r
Scott Runnels

--
Scott Runnels

[Mark Bose]

Scott I understand that and was making changes to the file that caused
an error. When I removed that changes and made the file the way it
was before I get the error message I now get this error in line 51
message. The message did not come up before making the changes and
wont go away since i reverted the entry to the way it was prior to
changing it.

[Scott Runnels]

Hi Mark,
Can you return the output of:

grep -i HOME_NET /etc/nsm/snort.conf

v/r
Scott Runnels

--
Scott Runnels

[Mark Bose]

Scott here is the output, thanks

var HOME_NET [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SSH_SERVERS $HOME_NET

[Scott Runnels]

Hi Mark,

I apologize.  The config file for snort is /etc/nsm/HOSTNAME-NIC/snort.conf I apologize for the confusion.  Can you rerun that grep on the correct snort.conf?

Can you also get me your version? 
grep -i version /etc/nsm/securityonion.conf

v/r
Scott Runnels

--
Scott Runnels

[Mark Bose]

Hi,
Just thought of a big question that has to do with the DNS. Since we
are monitoring the dmz and Not inside our network, what dns addresses
should be used? The inside or the outside?
thanks,
Mark

Here is the first data:

root@QWSANDTRAP2:/var/run/nsm/QWSANDTRAP2-eth1# grep -i HOME_NET /etc/
nsm/QWSANDTRAP2-eth1/snort.conf
ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
ipvar DNS_SERVERS $HOME_NET
ipvar SMTP_SERVERS $HOME_NET
ipvar HTTP_SERVERS $HOME_NET
ipvar SQL_SERVERS $HOME_NET
ipvar TELNET_SERVERS $HOME_NET
ipvar SSH_SERVERS $HOME_NET
ipvar FTP_SERVERS $HOME_NET
ipvar SIP_SERVERS $HOME_NET
root@QWSANDTRAP2:/var/run/nsm/QWSANDTRAP2-eth1#

and the second:
root@QWSANDTRAP2:/var/run/nsm/QWSANDTRAP2-eth1# grep -i version /etc/
nsm/securityonion.conf
VERSION=20120202
root@QWSANDTRAP2:/var/run/nsm/QWSANDTRAP2-eth1#

On Feb 8, 12:53 pm, Scott Runnels <srunn...@gmail.com> wrote:
> Hi Mark,
>

[Doug Burks]

Per the error message, PulledPork is referencing /etc/snort/snort.conf
(NOT the snort.conf for QWSANDTRAP2-eth1). So let's take a look at
that file:
grep -i HOME_NET /etc/snort/snort.conf

Thanks,
Doug

--
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org

[Mark Bose]

Doug,
It appears that different files are looking at different snort.conf
files. Shouldn't they all be using the same one?
With the iso build we used there wind up with 6 snort.conf files in
the build, this can and is leading to some confusion.

So which snort.config do we modify?

Here is that data on that command. looks like the CIDR is needed in
these:

root@QWSANDTRAP2:/var/run/nsm/QWSANDTRAP2-eth1# grep -i HOME_NET /etc/

snort/snort.conf

ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
ipvar DNS_SERVERS $HOME_NET

[192.168.200.220,192.168.200.221,192.168.200.223,010.141.001.039,010.141.001.040,050.028.008.006]

ipvar SMTP_SERVERS $HOME_NET
ipvar HTTP_SERVERS $HOME_NET
ipvar SQL_SERVERS $HOME_NET
ipvar TELNET_SERVERS $HOME_NET
ipvar SSH_SERVERS $HOME_NET
ipvar FTP_SERVERS $HOME_NET
ipvar SIP_SERVERS $HOME_NET
root@QWSANDTRAP2:/var/run/nsm/QWSANDTRAP2-eth1#

[Doug Burks]

Each sensor interface has to have its own snort.conf so that you can
tune HOME_NET and other settings for the network it's connected to.
So if you have 4 sensor interfaces (eth0 through eth3), that's 4
snort.conf files. For tuning Snort, you should be modifying the
snort.conf for the sensor interface you want to tune.

PulledPork has to have its own snort.conf separate from the sensor
interfaces (in case you're running as a server with no sensor
interfaces), so we use the default snort.conf location of
/etc/snort/snort.conf. Modifying this file will not modify any of
your sensor interfaces. You probably don't need to modify
/etc/snort/snort.conf for any reason.

This appears to be the cause of the error message:
ipvar DNS_SERVERS $HOME_NET
[192.168.200.220,192.168.200.221,192.168.200.223,010.141.001.039,010.141.001.040,050.028.008.006]

I assume this was all on one line and got wrapped by email?

If you change that line back to the default (below), does PulledPork
run without error?
ipvar DNS_SERVERS $HOME_NET

Thanks,
Doug

[Mark Bose]

Thanks Doug, that fixed that issue.
Did I miss something in instructions on which snort.conf to configure
or is it not there?
I'm glad you get me on the right track!
Thanks.

[Mark Bose]

Oh did anyone have an answer to the question on which DNS servers
should be listed if I'm on the DMZ?
Inside or outside addresses?

[Doug Burks]

You should list the IP addresses of whatever DNS servers that
particular sensor would be monitoring.
Doug

[Doug Burks]

It's probably not documented all that well. We'll work on it.

Thanks,
Doug

[Mark Bose]

Thanks Doug your help is appreciated!