[Snort-users] Rule IP addr (!192.168.1.1) didn't x-late, WTF?

Cameron Just phoenix at ...2398...
Wed Jun 27 03:05:43 EDT 2001


Yeah just tried it without quotes and again it's a little better.
Here is the current setup

var HOME_NET 192.168.1.1/32
var EXTERNAL_NET any
var DNS_SERVERS [61.9.208.13/32,61.9.208.16/32,24.192.1.30/32]

giving the following /var/log/messages/

Jun 27 17:03:30 phoenix snort: Initializing daemon mode
Jun 27 17:03:30 phoenix kernel: eth1: Setting promiscuous mode.
Jun 27 17:03:30 phoenix kernel: device eth1 entered promiscuous mode
Jun 27 17:03:31 phoenix snortd: snort startup succeeded
Jun 27 17:03:31 phoenix kernel: device eth1 left promiscuous mode

Then snort just dies

Still not sure of the problem??????
I have also changed
var HOME_NET 192.168.1.1/32
to be my IP given to me by my ISP
Still no luck

At 04:55 PM 27/06/01, you wrote:
>None of my configs have quotes.  I am using snort from CVS, so I am not sure
>what older versions need.
>
>Have you tried it without quotes?
>
>var HOME_NET 192.168.1.1/32
>
>Jason Lewis
>http://www.packetnexus.com
>It's not secure "Because they told me it was secure".
>The people at the other end of the link know less
>about security than you do. And that's scary.
>
>
>
>-----Original Message-----
>From: Cameron Just [mailto:phoenix at ...2398...]
>Sent: Wednesday, June 27, 2001 2:46 AM
>To: jlewis at ...1831...
>Cc: Snort-users at lists.sourceforge.net
>Subject: RE: [Snort-users] Rule IP addr (!192.168.1.1) didn't x-late,
>WTF?
>
>
>Hi,
>
>This slightly fixed the problem but snort will still not start?
>here is my error messages
>
>Jun 27 16:44:20 phoenix snort: Initializing daemon mode
>Jun 27 16:44:20 phoenix kernel: eth1: Setting promiscuous mode.
>Jun 27 16:44:20 phoenix kernel: device eth1 entered promiscuous mode
>Jun 27 16:44:20 phoenix snort: ERROR /etc/snort/snort.conf (7) => Rule
>netmask (32") didn't x-late, WTF?
>Jun 27 16:44:20 phoenix kernel: device eth1 left promiscuous mode
>Jun 27 16:44:20 phoenix snortd: snort startup succeeded
>
>Here are the first few lines of my snort.conf file
>
>var HOME_NET "192.168.1.1/32"
>var EXTERNAL_NET any
>var DNS_SERVERS
>[192.168.1.1/32,61.9.208.13/32,61.9.208.16/32,24.192.1.30/32]
>
>Am I right in assuming the HOME_NET variable is the IP of the machine with
>snort running?
>Becuase That is the IP address of the machine from inside the firewall.
>I can't understand what is going wrong.
>
>
>At 08:59 AM 27/06/01, you wrote:
>>Quotes....
>>
>>var HOME_NET "192.168.1.1"/32
>>
>>Change that to
>>
>>var HOME_NET "192.168.1.1/32"
>>
>>Jason Lewis
>>http://www.packetnexus.com
>>It's not secure "Because they told me it was secure".
>>The people at the other end of the link know less
>>about security than you do. And that's scary.
>>
>>
>>
>>-----Original Message-----
>>From: snort-users-admin at lists.sourceforge.net
>>[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Cameron
>>Just
>>Sent: Tuesday, June 26, 2001 6:28 PM
>>To: Snort-users at lists.sourceforge.net
>>Subject: [Snort-users] Rule IP addr (!192.168.1.1) didn't x-late, WTF?
>>
>>
>>Hi,
>>
>>Anyone know how to fix this problem on a Redhat 6.2 Machine with the latest
>>Snort installed.
>>
>>Here is the /var/log/messages info
>>
>>Jun 26 13:01:51 him snort: Initializing daemon mode
>>Jun 26 13:01:51 him kernel: eth0: Setting promiscuous mode.
>>Jun 26 13:01:51 him kernel: device eth0 entered promiscuous mode
>>Jun 26 13:01:51 him snort: ERROR /etc/snort/base.conf (8) => Rule IP addr
>>(!192.168.1.1) didn't x-late, WTF?
>>Jun 26 13:01:51 him kernel: device eth0 left promiscuous mode
>>Jun 26 13:01:51 him snort: snort startup succeeded.
>>
>>
>>This is the line it is dying on in my snort.conf
>>
>>var HOME_NET "192.168.1.1"/32
>>
>>I can't find anything in the FAQs and founf this problem on the Mailing
>>lists but there was never any answer......
>>
>>
>>
>>
>>
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>http://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>****************************************************************
>Cameron Just (C.Just at ...2395...)
>
>Phoenix Digital Development
>**************************************************************** 


****************************************************************
Cameron Just (C.Just at ...2395...)

Phoenix Digital Development
****************************************************************





More information about the Snort-users mailing list