[Snort-users] Brackets around 1st varible in snort.conf

John Sage jsage at ...2022...
Sun Sep 2 10:51:02 EDT 2001

Kari Suomela wrote:

> Sunday September 02 2001 15:54, Randy wrote to All:
>  R> "FATAL ERROR: ERROR /etc/snort/exploit.rules (6) => Rule IP addr
>  R> ([nnn.nnn.nnn.0) didn't x-late, WTF?"
>  R> I'm using this syntax "var HOME_NET
>  R> [nnn.nnn.nnn.0/24,nnn.nnn.nnn.0/24]
> nnn.nnn.nnn.0 is not a valid IP - or range!
>             ^

This, at least, is nonsense.  That's standard CIDR notation.

nnn.nnn.nnn.0 is a network address, which is just what you want to 
specify for HOME_NET...

Take for example:

Address:           11000000.10101000.00000001 .00000000
Netmask: == 24   11111111.11111111.11111111 .00000000
Network:        11000000.10101000.00000001 .00000000 
(Class C)
Broadcast:         11000000.10101000.00000001 .11111111
HostMin:           11000000.10101000.00000001 .00000001
HostMax:         11000000.10101000.00000001 .11111110
Hosts/Net: 254                   (Private Internet)

(Thanks to ipcalc -- see: http://jodies.de/ )

Unfortunately, this doesn't answer the original question, because it 
looks like Randy has the syntax correctly:

 From http://snort.sourcefire.com/docs/writing_rules/ :

"...For example, the address/CIDR combination would 
signify the block of addresses from to Any 
rule that used this designation for, say, the destination address would 
match on any address in that range. The CIDR designations give us a nice 
short-hand way to designate large address spaces with just a few characters.

"2.1.2  Variables

Variables may be defined in Snort. These are simple substitution 
variables set with the var keyword as in Figure 2.2.


   var: <name> <value>

     var MY_NET [,] "

> I've played with this for hours to no avail.  Tried other variable names and
> substitutions, no joy.
> Multi CIDR sub-nets in HOME_NET worked fine in 1.7  Multi CIDR sub-nets work in
> all other variables in 1.8.1, except the 1st listed in snort.conf
> Only if I use a single non-bracketed value for the 1st variable, will snort run.
> Have I missed something?

Krikeys.. not that I can see.

- John

John Sage
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."

More information about the Snort-users mailing list