Developers help please! WAS: Re: [Snort-users] Couldn't resolve hostname HOME_NET

Jason Lewis jlewis at ...1831...
Tue Apr 24 08:17:15 EDT 2001


How about posting the snort.conf you are using to the list?  I imagine it is
a syntax error.

Jason Lewis
http://www.rivalpath.com
"All you can do is manage the risks. There is no security."


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of dotslash
Sent: Tuesday, April 24, 2001 8:03 AM
To: Snort
Subject: Developers help please! WAS: Re: [Snort-users] Couldn't resolve
hostname HOME_NET


Sorry but I'm getting really frustrated.  I've removed the firewall, done
all those things I've mentioned earlier in the original thread, and I still
can't figure out why on earth snort would give "couldn't resolve hostname
HOME_NET" !

It is defined as well as the other needed variables plus I've remarked all
those unneeded vars.

Here's my system:

FreeBSD 4-2.RELEASE, 32Mb ram, 1Gb hd, P3 133Mhz.

I've used the snort.conf that came with the tarball, created my own, and
still I get the same message!

Appreciate your help!




> > Hrm...  Ok, not to sound silly--But did you customize the rules any?  I
> had a
> > rather silly error in mine where I was using "HOME_NET" instead of
>
> nope i didn't touch the rules files.  here's the supposed to be offending
> line:
>
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT netscape 4.7
> client ov
> erflow"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|";
> flags:
>  A+; reference:arachnids,215; classtype:attempted-user;)
>
>
>
> > "$HOME_NET".  From the output you showed it seems like line 4 of the
> > exploit.rules is where the trouble is.  If you comment out that line,
does
> the
> > error still occur?
> >
>
> i thought of that and i've actually started remarking the offending line/s
> one by one but what happens is the offending line would just go to the
next,
> unremarked line!  i also remarked exploit.rules and still got the same
> message for the next rule in line (which is scan.rules).
>
> > > well, i'll finish coffee first then d/l snort again.  hell maybe i'll
> use
> > > 1.8 then...l8rs
> >
> > I would suggest it!  Granted 1.8 is still beta, but with all the nifty
> stuff
> > that Marty and Company (You guys Rock!) have tossed in, it's damn
spiffy.
> > Vlans, uricontent, rpc decoding, command line params not 'needed', it
> makes
> > coffee....  ;-)
> >
>
> well, i got 1.8 and the ruleset that goes with it.  same error. :-(
>


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list