[Snort-users] var HOME_NET under Linux

David Alonso De La Vega Tapage delavegad at ...7768...
Mon Jun 30 06:15:19 EDT 2003


mmm  in my case  I use   sealth eth0  ..  it's config in snort.conf as 
 HOME_NET ..  why ..  simple ( well  for me :-D  )   if you set specific 
address in snort.conf  .. snort try to find  an IP  for eth0 ..  but 
eth0 haven't IP.

It's only and idea ..  


Thomas Bechtold wrote:

>hmm, I think you don't understand my problem.
>I used in snort.conf the following line:
>var HOME_NET $eth0_ADDRESS
>
>And when i start snort with this conf i get the following error:
>
>server:/etc/snort# snort -c /etc/snort/snort.eth0.conf
>Running in IDS mode
>Log directory = /var/log/snort
>
>Initializing Network Interface ppp0
>
>        --== Initializing Snort ==--
>Initializing Output Plugins!
>Decoding raw data on interface ppp0
>Initializing Preprocessors!
>Initializing Plug-ins!
>Parsing Rules file /etc/snort/snort.eth1.conf
>
>+++++++++++++++++++++++++++++++++++++++++++++++++++
>Initializing rule chains...
>ERROR: Undefined variable name: (/etc/snort/snort.eth1.conf:47): eth0_ADDRESS
>Fatal Error, Quitting..
>server:/etc/snort#
>
>When i use 'var HOME_NET $ppp0_ADDRESS', it works!
>Only if i use eth0 or eth1 it doesn't work and snort stops with a parse-error.
>Interfaces eth0 and eth1 are up and running.
>
>server:/etc/snort# ifconfig
>eth0      Link encap:Ethernet  HWaddr 00:50:FC:9E:46:44
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>          RX packets:14438274 errors:110 dropped:0 overruns:0 frame:0
>          TX packets:15323465 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:53803 txqueuelen:100
>          RX bytes:3438876581 (3.2 GiB)  TX bytes:3431480714 (3.1 GiB)
>          Interrupt:11 Base address:0x4f00
>
>eth1      Link encap:Ethernet  HWaddr 00:04:AC:39:55:44
>          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>          RX packets:14758554 errors:40 dropped:0 overruns:0 frame:40
>          TX packets:13557678 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:72873 txqueuelen:100
>          RX bytes:3073954506 (2.8 GiB)  TX bytes:3256223133 (3.0 GiB)
>          Interrupt:15 Base address:0x7c60 Memory:f3dff000-f3dff038
>
>
>
>Thanks for your help!
>Thomas Bechtold
>
>
>On Saturday 28 June 2003 21:24, Erek Adams wrote:
>  
>
>>On Sat, 28 Jun 2003, Thomas Bechtold wrote:
>>    
>>
>>>Ok, that works.
>>>
>>>Now I set the Variable HOME_NET in snort.conf to any:
>>>var HOME_NET = any
>>>
>>>and when i start snort, i set the parameter i(interface) to eth0:
>>>snort -c /etc/snort/snort.conf -i eth0
>>>      
>>>
>>If you want to reduce your false postives, change your HOME_NET to:
>>
>>	var HOME_NET $eth0_ADDRESS
>>
>>Cheers!
>>
>>-----
>>Erek Adams
>>
>>   "When things get weird, the weird turn pro."   H.S. Thompson
>>
>>
>>-------------------------------------------------------
>>This SF.Net email sponsored by: Free pre-built ASP.NET sites including
>>Data Reports, E-commerce, Portals, and Forums are available now.
>>Download today and enter to win an XBOX or Visual Studio .NET.
>>http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>    
>>
>
>
>
>-------------------------------------------------------
>This SF.Net email sponsored by: Free pre-built ASP.NET sites including
>Data Reports, E-commerce, Portals, and Forums are available now.
>Download today and enter to win an XBOX or Visual Studio .NET.
>http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030630/f102c827/attachment.html>


More information about the Snort-users mailing list