[Snort-users] Vision rules EXTERNAL/EXTERNAL_NET

Phil Wood cpw at ...440...
Wed May 16 17:08:04 EDT 2001


On Wed, May 16, 2001 at 03:03:34PM -0500, Andy Bach wrote:
> Hi Folks,
> 
> Just trying the vision.rules for the first time and I had to add:
> var INTERNAL $HOME_NET
> var EXTERNAL $EXTERNAL_NET
> after the original defs to keep all the rules working - is this normal?
> 
> I'm also getting:
> May 16 14:51:01 pmwiwb snort: ERROR vision.rules (1) => Invalid CIDR 
> block for IP addr 1024:

  This is the result of $EXTERNAL being eq "" (nothing), so the port 1024
  gets treated as an IP thingamabob.

Take a close look at your configuration file and make sure that you have
defined the various $variables like:

  var INTERNAL [192.168.0.0/24]
  var EXTERNAL !$INTERNAL

There could be other variables defined in your rules such as SMTP or
DNS_SERVERS, etc.

It's an iterative process, until you find all the things that need to
be defined.

> (rule 1):
> alert TCP $EXTERNAL 1024: -> $INTERNAL 2589 (msg: 
>   "IDS483/trojan-dagger_1.4.0_client_connect"; flags: A+; 
>   content: "|0b 00 00 00 07 00 00 00|Connect"; depth: 16;)
> 
> Is that because I'm using the:
> var HOME_NET $eth0_ADDRESS
> 
> format?  The snort rules all worked fine - is there a standard story for 
> using one set over the other?
> 
> Thanks.
> 
> a
> 
> Andy Bach, Sys. Mgr
> Internet: andy at ...2043...    VOICE: (608) 264-5178 ex 5738, FAX 264-510
> 
>    UNIX *is* user friendly. It is just a bit selective about her friends.
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list