[Snort-users] Rule IP addr (!192.168.1.1) didn't x-late, WTF?

Phil Wood cpw at ...440...
Wed Jun 27 10:53:12 EDT 2001


On Wed, Jun 27, 2001 at 05:05:43PM +1000, Cameron Just wrote:
> Yeah just tried it without quotes and again it's a little better.
> Here is the current setup
> 
> var HOME_NET 192.168.1.1/32
> var EXTERNAL_NET any
> var DNS_SERVERS [61.9.208.13/32,61.9.208.16/32,24.192.1.30/32]

DNS_SERVERS 61.9.208.13 61.9.208.16 24.192.1.30

Will work better for the portscan preprocessor.

> 
> giving the following /var/log/messages/
> 
> Jun 27 17:03:30 phoenix snort: Initializing daemon mode
> Jun 27 17:03:30 phoenix kernel: eth1: Setting promiscuous mode.
> Jun 27 17:03:30 phoenix kernel: device eth1 entered promiscuous mode
> Jun 27 17:03:31 phoenix snortd: snort startup succeeded
> Jun 27 17:03:31 phoenix kernel: device eth1 left promiscuous mode
> 
> Then snort just dies
> 
> Still not sure of the problem??????
> I have also changed
> var HOME_NET 192.168.1.1/32
> to be my IP given to me by my ISP
> Still no luck
> 
> At 04:55 PM 27/06/01, you wrote:
> >None of my configs have quotes.  I am using snort from CVS, so I am not sure
> >what older versions need.
> >
> >Have you tried it without quotes?
> >
> >var HOME_NET 192.168.1.1/32
> >
> >Jason Lewis
> >http://www.packetnexus.com
> >It's not secure "Because they told me it was secure".
> >The people at the other end of the link know less
> >about security than you do. And that's scary.
> >
> >
> >
> >-----Original Message-----
> >From: Cameron Just [mailto:phoenix at ...2398...]
> >Sent: Wednesday, June 27, 2001 2:46 AM
> >To: jlewis at ...1831...
> >Cc: Snort-users at lists.sourceforge.net
> >Subject: RE: [Snort-users] Rule IP addr (!192.168.1.1) didn't x-late,
> >WTF?
> >
> >
> >Hi,
> >
> >This slightly fixed the problem but snort will still not start?
> >here is my error messages
> >
> >Jun 27 16:44:20 phoenix snort: Initializing daemon mode
> >Jun 27 16:44:20 phoenix kernel: eth1: Setting promiscuous mode.
> >Jun 27 16:44:20 phoenix kernel: device eth1 entered promiscuous mode
> >Jun 27 16:44:20 phoenix snort: ERROR /etc/snort/snort.conf (7) => Rule
> >netmask (32") didn't x-late, WTF?
> >Jun 27 16:44:20 phoenix kernel: device eth1 left promiscuous mode
> >Jun 27 16:44:20 phoenix snortd: snort startup succeeded
> >
> >Here are the first few lines of my snort.conf file
> >
> >var HOME_NET "192.168.1.1/32"
> >var EXTERNAL_NET any
> >var DNS_SERVERS
> >[192.168.1.1/32,61.9.208.13/32,61.9.208.16/32,24.192.1.30/32]
> >
> >Am I right in assuming the HOME_NET variable is the IP of the machine with
> >snort running?
> >Becuase That is the IP address of the machine from inside the firewall.
> >I can't understand what is going wrong.
> >
> >
> >At 08:59 AM 27/06/01, you wrote:
> >>Quotes....
> >>
> >>var HOME_NET "192.168.1.1"/32
> >>
> >>Change that to
> >>
> >>var HOME_NET "192.168.1.1/32"
> >>
> >>Jason Lewis
> >>http://www.packetnexus.com
> >>It's not secure "Because they told me it was secure".
> >>The people at the other end of the link know less
> >>about security than you do. And that's scary.
> >>
> >>
> >>
> >>-----Original Message-----
> >>From: snort-users-admin at lists.sourceforge.net
> >>[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Cameron
> >>Just
> >>Sent: Tuesday, June 26, 2001 6:28 PM
> >>To: Snort-users at lists.sourceforge.net
> >>Subject: [Snort-users] Rule IP addr (!192.168.1.1) didn't x-late, WTF?
> >>
> >>
> >>Hi,
> >>
> >>Anyone know how to fix this problem on a Redhat 6.2 Machine with the latest
> >>Snort installed.
> >>
> >>Here is the /var/log/messages info
> >>
> >>Jun 26 13:01:51 him snort: Initializing daemon mode
> >>Jun 26 13:01:51 him kernel: eth0: Setting promiscuous mode.
> >>Jun 26 13:01:51 him kernel: device eth0 entered promiscuous mode
> >>Jun 26 13:01:51 him snort: ERROR /etc/snort/base.conf (8) => Rule IP addr
> >>(!192.168.1.1) didn't x-late, WTF?
> >>Jun 26 13:01:51 him kernel: device eth0 left promiscuous mode
> >>Jun 26 13:01:51 him snort: snort startup succeeded.
> >>
> >>
> >>This is the line it is dying on in my snort.conf
> >>
> >>var HOME_NET "192.168.1.1"/32
> >>
> >>I can't find anything in the FAQs and founf this problem on the Mailing
> >>lists but there was never any answer......
> >>
> >>
> >>
> >>
> >>
> >>_______________________________________________
> >>Snort-users mailing list
> >>Snort-users at lists.sourceforge.net
> >>Go to this URL to change user options or unsubscribe:
> >>http://lists.sourceforge.net/lists/listinfo/snort-users
> >>Snort-users list archive:
> >>http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >****************************************************************
> >Cameron Just (C.Just at ...2395...)
> >
> >Phoenix Digital Development
> >**************************************************************** 
> 
> 
> ****************************************************************
> Cameron Just (C.Just at ...2395...)
> 
> Phoenix Digital Development
> ****************************************************************
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list