[Snort-users] Snort Problems

John Berkers berjo at ...827...
Fri Apr 13 05:04:16 EDT 2001


Firstly, a Happy Easter to everyone!

I'm running snort compiled from the April 7 snort-daily tarball on Mandrake
7.2 and I'm having a couple of problems.

1.	Whenever I try to use the var HOME_NET $ppp0_ADDRESS (or in the case of
the vision.conf var INTERNAL $ppp0_ADDRESS statement Snort ruletest give me
the following message:

[root at ...1818... snort]# /usr/snort/bin/snort -c /etc/snort/vision.conf -T

        --== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system

Initializing Network Interface eth0
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

Initializing rule chains...
[!] ERROR /etc/snort/vision.conf (20): Bad value in variable definition!
        Make sure you don't have a "$" in the var name
Fatal Error, Quitting..

2.	I've set HOME_NET to be my ISP's CLASS B because of the above problem,
and because I have to re-connect (and restart snort) every 4 hours. EXTERNAL
is set to any.  The only alerts snort seems to pick up is when my DNS server
forwards requests to my ISP's DNS when it can't resolve locally.  I'm using
the rules shipped in the Snort Daily Tarball that I compiled Snort from.  I
get alerts logged to the logfile I want snort to use, packets are also
logged, but it only picks up the DNS stuff.

I know from my ipchains firewall that there are some other scans coming in,
since packets are being dropped heading towards ports 111, 515, 53, 31337,
12345, etc.  I would expect that at least some of them would be attempted
vulnerability exploits (especially with worms like l10n, adore, etc).

I start snort with the following command line (from an init.d script)

daemon /usr/snort/bin/snort -u snort -g snort -d -D -i ppp0 -l
/var/log/snort -c /etc/snort/snort2.conf

Any assistance would be appreciated.

John Berkers
berjo at ...827...

More information about the Snort-users mailing list