[Snort-users] Brackets around 1st varible in snort.conf
leganza at ...3311...
Sat Sep 1 23:55:02 EDT 2001
Just upgraded to 1.8.1 RELEASE from 1.7, on RedHat 7.1 (libpcap w/includes
installed via src.rpm --recompile).
As long I have just one CIDR address listed for the value of "var HOME_NET" all
is well - snort runs fine.
But I have multiple sub-nets to cover. As soon as I list more than one CIDR
address in the 1st variable, in snort.conf, it fails, writing this to
"FATAL ERROR: ERROR /etc/snort/exploit.rules (6) => Rule IP addr
([nnn.nnn.nnn.0) didn't x-late, WTF?"
I'm using this syntax "var HOME_NET [nnn.nnn.nnn.0/24,nnn.nnn.nnn.0/24]
snort.conf has the absolute path listed - "include /etc/snort/exploit.rules"
In fact, even if I put brackets around just 1 CIDR address, it fails with the
same complaint about line 6 in /etc/snort/exploit.rules NO BRACKETS - works
Line 6 in exploit.rules is straight from the rules tarball
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT netscape 4.7 client
overflow"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|";
flags: A+; reference:bugtraq,822; reference:arachnids,215;
classtype:attempted-user; sid:283; rev:2;)
I've played with this for hours to no avail. Tried other variable names and
substitutions, no joy.
Multi CIDR sub-nets in HOME_NET worked fine in 1.7 Multi CIDR sub-nets work in
all other variables in 1.8.1, except the 1st listed in snort.conf
Only if I use a single non-bracketed value for the 1st variable, will snort run.
Have I missed something?
More information about the Snort-users