[Snort-users] snort.conf and rules

Bunter, Matthew Matthew.Bunter at ...2008...
Tue May 15 10:19:32 EDT 2001


Joshua et al,

Just put [] around the var $HOME_NET ip address and it seems to be working.
Now I'll have to send some traffic. I presume that doing attacks with
generate new files (I have done an nmap and it went to the portscan.log) or
does more need to be edited within snort.conf

Matt

> -----Original Message-----
> From:	Joshua Wright [SMTP:Joshua.Wright at ...2031...]
> Sent:	15 May 2001 14:04
> To:	'Bunter, Matthew'
> Subject:	RE: [Snort-users] snort.conf and rules
> 
> Typically, this error indicates that a variable is not set properly.  Make
> sure you have defined EXTERNAL and INTERNAL (as well as EXTERNAL_NET, and
> INTERNAL_NET).
> 
> If you want to send me your complete snort.conf, I will check it out for
> you.
> 
> -Joshua Wright
> Team Leader, Networks and Systems
> Johnson & Wales University
> Joshua.Wright at ...2031... 
> 401-598-1555
> 
> -----Original Message-----
> From: Bunter, Matthew [mailto:Matthew.Bunter at ...2008...]
> Sent: Tuesday, May 15, 2001 8:19 AM
> To: Snort-Users (E-mail)
> Subject: [Snort-users] snort.conf and rules
> 
> 
> All,
> 
> Still having problems getting snort started and would appreciate any help.
> 
> 
> using vision.rules (vision.rules.gz from whitehats)
> Snort 1.7
> 
> Got my DNS boxes specified, no SMTP boxes on my segment (used nmap to
> verify), ignoring SQL boxes therefore commented out.
> 
> Preprocessors :
> defrag
> http_decode: 80 8080
> portscan: $HOME_NET 4 3 /var/log/snort/portscan.log
> portscan-ignorehosts: $DNS_SERVERS
> 
> Output 
> alert_syslog: LOG_AUTH LOG_ALERT - forgive my stupidity but does anything
> need to be done to syslog.conf? DO any files need to be touched before
> running snort?
> 
> Rule Set
> include /etc/snort/Rules/vision.rules
> My local.rules is commented out. What sort of include/ignores do people
> have
> that isn't covered in the DNS, SQL, SMTP areas of snort.conf? Could anyone
> point me to an example local.rules file?
> 
> With all the above I am getting error messages that tell me things are
> wrong
> with the rules e.g. vision.rules (1) => Invalid CIDR block for IP addr
> 1024
> :
> If I comment this out I then get Port value missing in rule for rule 2,
> same
> for rule 3. I'm just trying to get Snort working Please help - going
> crazy!
> 
> Regards,
> 
> Matt
> 
> **********************************************************************
> This message may contain information which is confidential or privileged.
> If you are not the intended recipient, please advise the sender
> immediately
> by reply e-mail and delete this message and any attachments
> without retaining a copy.  
> 
> **********************************************************************
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

**********************************************************************
This message may contain information which is confidential or privileged.
If you are not the intended recipient, please advise the sender immediately
by reply e-mail and delete this message and any attachments
without retaining a copy.  

**********************************************************************




More information about the Snort-users mailing list