Resolved!!! Re: Developers help please! WAS: Re: [Snort-users] Couldn't resolve hostname HOME_NET
dotslash at ...1760...
Tue Apr 24 09:03:45 EDT 2001
i'm gonna kick myself.
yes you are right. after sending the cry for help i looked again and what do
you know. i have this:
var EXTERNAL HOME_NET
and that line was the cause of the problem. not to easy to spot when there
are so many remarks in snort.conf so how i found it was to start removing
the remarks/comments and only then did i realize my mistake.
oh well. thanks for your reply and, again, sorry for the email developers.
P.S. i'm using snort-1.8-beta and i like the changes made.
----- Original Message -----
From: "Jason Lewis" <jlewis at ...1831...>
To: "'dotslash'" <dotslash at ...1760...>; "'Snort'"
<snort-users at lists.sourceforge.net>
Sent: Tuesday, April 24, 2001 4:17 PM
Subject: RE: Developers help please! WAS: Re: [Snort-users] Couldn't resolve
> How about posting the snort.conf you are using to the list? I imagine it
> a syntax error.
> Jason Lewis
> "All you can do is manage the risks. There is no security."
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of dotslash
> Sent: Tuesday, April 24, 2001 8:03 AM
> To: Snort
> Subject: Developers help please! WAS: Re: [Snort-users] Couldn't resolve
> hostname HOME_NET
> Sorry but I'm getting really frustrated. I've removed the firewall, done
> all those things I've mentioned earlier in the original thread, and I
> can't figure out why on earth snort would give "couldn't resolve hostname
> HOME_NET" !
> It is defined as well as the other needed variables plus I've remarked all
> those unneeded vars.
> Here's my system:
> FreeBSD 4-2.RELEASE, 32Mb ram, 1Gb hd, P3 133Mhz.
> I've used the snort.conf that came with the tarball, created my own, and
> still I get the same message!
> Appreciate your help!
> > > Hrm... Ok, not to sound silly--But did you customize the rules any?
> > had a
> > > rather silly error in mine where I was using "HOME_NET" instead of
> > nope i didn't touch the rules files. here's the supposed to be
> > line:
> > alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT netscape 4.7
> > client ov
> > erflow"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0
> > flags:
> > A+; reference:arachnids,215; classtype:attempted-user;)
> > > "$HOME_NET". From the output you showed it seems like line 4 of the
> > > exploit.rules is where the trouble is. If you comment out that line,
> > the
> > > error still occur?
> > >
> > i thought of that and i've actually started remarking the offending
> > one by one but what happens is the offending line would just go to the
> > unremarked line! i also remarked exploit.rules and still got the same
> > message for the next rule in line (which is scan.rules).
> > > > well, i'll finish coffee first then d/l snort again. hell maybe
> > use
> > > > 1.8 then...l8rs
> > >
> > > I would suggest it! Granted 1.8 is still beta, but with all the nifty
> > stuff
> > > that Marty and Company (You guys Rock!) have tossed in, it's damn
> > > Vlans, uricontent, rpc decoding, command line params not 'needed', it
> > makes
> > > coffee.... ;-)
> > >
> > well, i got 1.8 and the ruleset that goes with it. same error. :-(
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users