Resolved!!! Re: Developers help please! WAS: Re: [Snort-users] Couldn't resolve hostname HOME_NET

dotslash dotslash at ...1760...
Tue Apr 24 09:03:45 EDT 2001


i'm gonna kick myself.

yes you are right. after sending the cry for help i looked again and what do
you know. i have this:

var EXTERNAL HOME_NET

and that line was the cause of the problem.  not to easy to spot when there
are so many remarks in snort.conf so how i found it was to start removing
the remarks/comments and only then did i realize my mistake.

oh well. thanks for your reply and, again, sorry for the email developers.

P.S. i'm using snort-1.8-beta and i like the changes made.



----- Original Message -----
From: "Jason Lewis" <jlewis at ...1831...>
To: "'dotslash'" <dotslash at ...1760...>; "'Snort'"
<snort-users at lists.sourceforge.net>
Sent: Tuesday, April 24, 2001 4:17 PM
Subject: RE: Developers help please! WAS: Re: [Snort-users] Couldn't resolve
hostname HOME_NET


> How about posting the snort.conf you are using to the list?  I imagine it
is
> a syntax error.
>
> Jason Lewis
> http://www.rivalpath.com
> "All you can do is manage the risks. There is no security."
>
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of dotslash
> Sent: Tuesday, April 24, 2001 8:03 AM
> To: Snort
> Subject: Developers help please! WAS: Re: [Snort-users] Couldn't resolve
> hostname HOME_NET
>
>
> Sorry but I'm getting really frustrated.  I've removed the firewall, done
> all those things I've mentioned earlier in the original thread, and I
still
> can't figure out why on earth snort would give "couldn't resolve hostname
> HOME_NET" !
>
> It is defined as well as the other needed variables plus I've remarked all
> those unneeded vars.
>
> Here's my system:
>
> FreeBSD 4-2.RELEASE, 32Mb ram, 1Gb hd, P3 133Mhz.
>
> I've used the snort.conf that came with the tarball, created my own, and
> still I get the same message!
>
> Appreciate your help!
>
>
>
>
> > > Hrm...  Ok, not to sound silly--But did you customize the rules any?
I
> > had a
> > > rather silly error in mine where I was using "HOME_NET" instead of
> >
> > nope i didn't touch the rules files.  here's the supposed to be
offending
> > line:
> >
> > alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT netscape 4.7
> > client ov
> > erflow"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0
50|";
> > flags:
> >  A+; reference:arachnids,215; classtype:attempted-user;)
> >
> >
> >
> > > "$HOME_NET".  From the output you showed it seems like line 4 of the
> > > exploit.rules is where the trouble is.  If you comment out that line,
> does
> > the
> > > error still occur?
> > >
> >
> > i thought of that and i've actually started remarking the offending
line/s
> > one by one but what happens is the offending line would just go to the
> next,
> > unremarked line!  i also remarked exploit.rules and still got the same
> > message for the next rule in line (which is scan.rules).
> >
> > > > well, i'll finish coffee first then d/l snort again.  hell maybe
i'll
> > use
> > > > 1.8 then...l8rs
> > >
> > > I would suggest it!  Granted 1.8 is still beta, but with all the nifty
> > stuff
> > > that Marty and Company (You guys Rock!) have tossed in, it's damn
> spiffy.
> > > Vlans, uricontent, rpc decoding, command line params not 'needed', it
> > makes
> > > coffee....  ;-)
> > >
> >
> > well, i got 1.8 and the ruleset that goes with it.  same error. :-(
> >
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list