Suricata HOME_NET is not defined in configuration file ERR:

783 views
Skip to first unread message

Abdulvehhab Agin

unread,
Oct 6, 2016, 6:12:52 AM10/6/16
to security-onion
Hi,

I installed lastest SO. Suricata engine gives ERROR about HOME_NET variable

Suricata run as the following code

>>>> suricata --user sguil --group sguil -c /etc/nsm/sensor-eth1/suricata.yaml --pfring=eth1 -F /etc/nsm/sensor-eth1/bpf-ids.conf -l /nsm/sensor_data/sensor-eth1

Error is:

----------------------------
6/10/2016 -- 09:57:48 - <Error> - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "HOME_NET " is not defined in configuration file
6/10/2016 -- 09:57:48 - <Error> - [ERRCODE: SC_ERR_INVALID_IP_NETBLOCK(16)] - failed to parse $HOME_NET
6/10/2016 -- 09:57:48 - <Error> - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "HOME_NET " is not defined in configuration file
6/10/2016 -- 09:57:48 - <Error> - [ERRCODE: SC_ERR_INVALID_IP_NETBLOCK(16)] - failed to parse $HOME_NET
6/10/2016 -- 09:57:48 - <Error> - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "HOME_NET " is not defined in configuration file
6/10/2016 -- 09:57:48 - <Error> - [ERRCODE: SC_ERR_INVALID_IP_NETBLOCK(16)] - failed to parse $HOME_NET
-----------------------------

Whereas, suricata.yaml has HOME_NET variable

---------------------------------------------------------------------
##

vars:
# more specifc is better for alert accuracy and performance
address-groups:
HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"

#EXTERNAL_NET: "!$HOME_NET"
EXTERNAL_NET: "any"

HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"

--------------


Where is problem? Any help will be great.


Thx.


Abdulvehhab Agin

unread,
Oct 6, 2016, 7:30:17 AM10/6/16
to security-onion
I noticed that this error is based on threshold.conf

when i comment rules no error is appeared.

But
suppress gen_id 1, sig_id 2009702, track by_dst, ip $HOME_NET
generates error

i changed to
suppress gen_id 1, sig_id 2009702, track by_dst, ip 192.168.0.0/16
also generates error.

Any idea?

Heine Lysemose

unread,
Oct 6, 2016, 7:44:20 AM10/6/16
to securit...@googlegroups.com
Hi

Try to define the HOME_NET in the threshold.conf file

Regards,
Lysemose


--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Abdulvehhab Agin

unread,
Oct 7, 2016, 2:08:26 AM10/7/16
to security-onion
I found problem

suppress gen_id 1, sig_id 2009702, track by_dst, ip 192.168.0.0/16(?*)

it has a whitespace character (?*) at the end of line i remove it, problem is gone.

suppress gen_id 1, sig_id 2009702, track by_dst, ip 192.168.0.0/16

Thx for any comment



6 Ekim 2016 Perşembe 14:44:20 UTC+3 tarihinde Lysemose yazdı:
> Hi
>
>
> Try to define the HOME_NET in the threshold.conf file
>
>
> Regards,
> Lysemose
>
>
> On Thu, Oct 6, 2016 at 1:30 PM, Abdulvehhab Agin <abdul...@gmail.com> wrote:
> I noticed that this error is based on threshold.conf
>
>
>
> when i comment rules no error is appeared.
>
>
>
> But
>
> suppress gen_id 1, sig_id 2009702, track by_dst, ip $HOME_NET
>
> generates error
>
>
>
> i changed to
>
> suppress gen_id 1, sig_id 2009702, track by_dst, ip 192.168.0.0/16
>
> also generates error.
>
>
>
> Any idea?
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

Michael J

unread,
Feb 6, 2017, 10:07:31 AM2/6/17
to security-onion
Check your spacing in the configuration file. Suricata is very specific about it's spacing. For example, it should be:

vars:
address-groups:
HOME_NET: "[192.168.1.0/24,192.168.2.0/24]"

port-groups:
HTTP_PORTS: "[80,443,3128,8080,8000]"
FILE_DATA_PORTS: "[110,143]"

There MUST be no spaces for the top section (vars:), then two more spaces for the sub-section (address-groups, port-groups). It will fail on the first variable in the set, but no others. For example, I was seeing the same errors saying the HTTP_PORTS variable was not defined -- because somehow in a previous editing of the file the "ports-groups" heading ended up flush with the beginning of the line. I'm willing to bet you a breakfast taco that your "address-groups" header is not two spaces...

And no, don't put it "thresholds.conf" -- that's just silly...
Reply all
Reply to author
Forward
0 new messages