[Snort-users] Errors starting Snort...

Lorenzo Rossi condor_rl at ...2470...
Tue Nov 2 01:37:43 EST 2004


James,

Sorry I forgot the config file :)
But the good news is I have found the errors, and I correct them:

exactly in line 357 I modified as you can see below

DEBIAN ORIGINAL:

preprocessor flow-portscan: talker-sliding-scale-factor 0.50
talker-fixed-threshold 30 talker-sliding-threshold 30
talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker
30000 server-watchnet $HOME_NET server-ignore-limit 200 server-rows
65535 server-learning-time 14400 server-scanner-limit 4
scanner-sliding-window 20 scanner-sliding-scale-factor 0.50
scanner-fixed-threshold 15 scanner-sliding-threshold 40
scanner-fixed-window 15 scoreboard-rows-scanner 30000 src-ignore-net
$HOME_NET dst-ignore-net [10.0.0.0/30] alert-mode once output-mode msg
tcp-penalties on

MODIFIED BY ME:

preprocessor flow-portscan: talker-sliding-scale-factor 0.50
talker-fixed-threshold 30 talker-sliding-threshold 30
talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker
30000 server-watchnet [192.168.1.0/24] server-ignore-limit 200
server-rows 65535 server-learning-time 14400 server-scanner-limit 4
scanner-sliding-window 20 scanner-sliding-scale-factor 0.50
scanner-fixed-threshold 15 scanner-sliding-threshold 40
scanner-fixed-window 15 scoreboard-rows-scanner 30000 src-ignore-net
[10.0.0.0/30] dst-ignore-net [10.0.0.0/30] alert-mode once output-mode
msg tcp-penalties on


Could someone explain to me the meaning of "src-ignore-net" and
"dst-ignore-net" parameters....?

Then another problem was present in the snort.ethX.conf 

DEBIAN ORIGINAL:
ME_NET server-ignore-limit 200

MODIFIED BY ME:

# ME_NET server-ignore-limit 200

Onestly I do not understand the meaning of "ME_NET", probably it should be
"$HOME_NET"

Now seem to me that snort is working....

Lorenzo

* James Riden <j.riden at ...11179...> [021104, 08:49]:
> Lorenzo Rossi <condor_rl at ...2470...> writes:
> 
> > Nov  1 17:04:10 europa snort: /etc/snort/snort.eth0.conf(357) Unable to
> > create an IPSet from [any]
> 
> Could we see that section of the config file please?
> 
> I seem to remember that Debian asks which range of IP addresses to
> listen on - do you remember what you replied? 
> 
> cheers,
>  Jamie
> -- 
> James Riden / j.riden at ...11179... / Systems Security Engineer
> Information Technology Services, Massey University, NZ.
> GPG public key available at: http://www.massey.ac.nz/~jriden/
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
LinuxUser: 71680	OpenPGP-> KeyID: 0x25B9E15E
===================================================
Fingerprint:
BF76 8EC9 A14D 2CD4 195F  9E7D 6834 A8AE 25B9 E15E
---------------------------------------------------




More information about the Snort-users mailing list