[Snort-users] "didn't x-late, WTF?"

Gene R. Gomez ggomez at ...677...
Thu Oct 26 16:11:00 EDT 2000


Hey folks,
Here's an interesting one:
 
Oct 26 13:01:51 him snort: Initializing daemon mode
Oct 26 13:01:51 him kernel: eth0: Setting promiscuous mode.
Oct 26 13:01:51 him kernel: device eth0 entered promiscuous mode
Oct 26 13:01:51 him snort: ERROR /etc/snort/base.conf (8) => Rule IP addr
(!192.168.0.0) didn't x-late, WTF?
Oct 26 13:01:51 him kernel: device eth0 left promiscuous mode
Oct 26 13:01:51 him snort: snort startup succeeded.
 
But, of course, snort hasn't really started.  :)
Looking at /etc/base.conf:
 
var INTERNAL 192.168.0.0/16
var EXTERNAL !192.168.0.0/16
var HOME_NET 192.168.0.0/16
var DNSSERVERS a.b.c.d/32 w.x.y.z/32
 
preprocessor http_decode: 80 443 8080
preprocessor minifrag: 128
preprocessor portscan: $EXTERNAL 3 5 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: $DNSSERVERS
 
include /etc/snort/vision.rules
include /etc/snort/10102k.rules
include /etc/snort/home.rules
 
So, the ERROR above is in the "preprocessor portscan" directive.  Changing
line 2 to "var EXTERNAL 192.168.0.0/16" allows the system to pass that
error, but after that I get a DIFFERENT error:
 
Oct 26 13:00:46 him snort: ERROR /etc/snort/10102k.rules (40) => Invalid
CIDR block for IP addr yournet/subnet
 
So, I can work through the second error, but I'm COMPLETELY lost on what to
do about the first one.  Anyone know what I can do about this?  :)
 
-Gene
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001026/bf3ca8b9/attachment.html>


More information about the Snort-users mailing list