[Snort-users] Brackets around 1st varible in snort.conf

Randy leganza at ...3311...
Sat Sep 1 23:55:02 EDT 2001

Just upgraded to 1.8.1 RELEASE from 1.7, on RedHat 7.1 (libpcap w/includes
installed via src.rpm --recompile).

As long I have just one CIDR address listed for the value of "var HOME_NET" all
is well - snort runs fine.  

But I have multiple sub-nets to cover. As soon as I list more than one CIDR
address in the 1st variable, in snort.conf, it fails, writing this to

"FATAL ERROR: ERROR /etc/snort/exploit.rules (6) => Rule IP addr
([nnn.nnn.nnn.0) didn't x-late, WTF?"

I'm using this syntax "var HOME_NET [nnn.nnn.nnn.0/24,nnn.nnn.nnn.0/24]

snort.conf has the absolute path listed - "include /etc/snort/exploit.rules"

In fact, even if I put brackets around just 1 CIDR address, it fails with the
same complaint about line 6 in /etc/snort/exploit.rules     NO BRACKETS - works

Line 6 in exploit.rules is straight from the rules tarball

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT netscape 4.7 client
overflow"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|";
flags: A+; reference:bugtraq,822; reference:arachnids,215;
classtype:attempted-user; sid:283; rev:2;)

I've played with this for hours to no avail.  Tried other variable names and
substitutions, no joy.

Multi CIDR sub-nets in HOME_NET worked fine in 1.7  Multi CIDR sub-nets work in
all other variables in 1.8.1, except the 1st listed in snort.conf

Only if I use a single non-bracketed value for the 1st variable, will snort run.

Have I missed something?


More information about the Snort-users mailing list