[Snort-devel] snort-1.8-RELEASE: eth0_ADDRESS substitution

Martin Roesch roesch at ...402...
Mon Jul 30 15:11:51 EDT 2001


Try 'var HOME_NET $eth0_address', that should work.  Additionally,
please update to http://www.snort.org/files/snort-1.8.1-beta5.tar.gz,
that's a much better version than 1.8-RELEASE.

   -Marty

Sven Carstens wrote:
> 
> Hi all,
> 
> freshly loaded and installed snort-1.8-RELEASE with database support.
> Used standard install method with
> HOME_NET = eth0_ADDRESS
> and everything went really weird.
> - logging only some alerts to a file (alert_full)
> - logging nothing to portscan.log (spp_portscan)
> - only spp_stream4 logging to database
> 
> While heavily messing around I got something like that in /var/log/messages:
> snort: FATAL ERROR: ERROR /etc/snort/snort-lib (222) => Rule netmask (64.77.13.8,eth0:0_ADDRESS) didn't x-late, WTF?
> Now I know that the substitution eth0:0_ADDRESS won't work but the real eye-opener
> is that my IP-Adress is nowhere near to 64.77.13.8.
> 
> Setting the IP-Adresses by hand into the config-file and everything works perfect.
> 
> The system:
> SuSE 7.1
> libpcapn-0.4a6-285 (original SuSE package)
> linux-2.4.2
> snort-1.8-RELEASE
> 
> CU Sven
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list