[Snort-users] trouble starting snort

M Shirk shirkdog_linux at ...125...
Mon Sep 13 10:16:09 EDT 2004


I believe this is your problem

var EXTERNAL_NET any

I am not sure this does what you want it to do. If you do not declare an 
external_net, then everything except your HOME_NET ip is externel.

I counted the lines and this is line 44 of your snort.conf. Comment this 
line out, and try again.

Shirkdog
http://www.shirkdog.us


>From: Larry Wichman <larrywichman at ...131...>
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] trouble starting snort
>Date: Mon, 13 Sep 2004 09:26:46 -0700 (PDT)
>
>I am having trouble starting Snort. Can someone tell me what I am doing 
>wrong?
>
>I am trying to start snort with the following command:
>  snort -dev -c /etc/snort/snort.conf -i eth0
>
>here is the output and error:
>
>
>
>Running in IDS mode
>
>Log directory = /var/log/snort
>
>
>
>Initializing Network Interface eth0
>
>OpenPcap() device eth0 network lookup:
>
>         eth0: no IPv4 address assigned
>
>
>
>         --== Initializing Snort ==--
>
>Initializing Output Plugins!
>
>Decoding Ethernet on interface eth0
>
>Initializing Preprocessors!
>
>Initializing Plug-ins!
>
>Parsing Rules file /etc/snort/snort.conf
>
>
>
>+++++++++++++++++++++++++++++++++++++++++++++++++++
>
>Initializing rule chains...
>
>ERROR: /etc/snort/snort.conf(44) => NULL rule type
>
>Fatal Error, Quitting..
>
>
>
>here is part of my snort.conf:
>
>
>
>
>
>
>
>#   http://www.snort.org     Snort 2.1.0 Ruleset
>
>#     Contact: snort-sigs at lists.sourceforge.net
>
>#--------------------------------------------------
>
># $Id: snort.conf,v 1.133.2.3 2004/02/25 16:52:51 jh8 Exp $
>
>#
>
>###################################################
>
># This file contains a sample snort configuration.
>
># You can take the following steps to create your own custom configuration:
>
>#
>
>#  1) Set the network variables for your network
>
>#  2) Configure preprocessors
>
>#  3) Configure output plugins
>
>#  4) Customize your rule set
>
>#
>
>###################################################
>
># Step #1: Set the network variables:
>
>#
>
># You must change the following variables to reflect your local network. 
>The
>
># variable is currently setup for an RFC 1918 address space.
>
>#
>
># You can specify it explicitly as:
>
>#
>
># var HOME_NET 10.1.1.0/24
>
>#
>
># or use global variable $<interfacename>_ADDRESS which will be always
>
># initialized to IP address and netmask of the network interface which you 
>run
>
># snort at.  Under Windows, this must be specified as
>
># $(<interfacename>_ADDRESS), such as:
>
># $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
>
>#
>
># var HOME_NET $eth0_ADDRESS
>
>#
>
># You can specify lists of IP addresses for HOME_NET
>
># by separating the IPs with commas like this:
>
>#
>
># var HOME_NET [10.1.1.0/24,192.168.1.0/24]
>
>#
>
># MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
>
>#
>
># or you can specify the variable to be any IP address
>
># like this:
>
>var HOME_NET x.x.x.0/24
>
>
>
># Set up the external network addresses as well.  A good start may be "any"
>
>var EXTERNAL_NET any
>
>
>
>output database: log, mysql, user=root password=xxxxxx dbname=xxxx 
>host=x.x.x.x
>
>
>
># Configure your server lists.  This allows snort to only look for attacks 
>to
>
># systems that have a service up.  Why look for HTTP attacks if you are not
>
># running a web server?  This allows quick filtering based on IP addresses
>
># These configurations MUST follow the same configuration scheme as defined
>
># above for $HOME_NET.
>
>
>
># List of DNS servers on your network
>
># var DNS_SERVERS $HOME_NET
>
>
>
># List of SMTP servers on your network
>
>var SMTP_SERVERS $HOME_NET
>
>  # Configure your service ports.  This allows snort to look for attacks 
>destined
>
># to a specific application only on the ports that application runs on.  
>For
>
># example, if you run a web server on port 8081, set your HTTP_PORTS 
>variable
>
># like this:
>
>
>Cheers,
>Lawrence A. Wichman2719 W ThomasApt 2
>Chicago
>Il, 60622
>773.807.7606
>
>
>
>
>
>
>
>---------------------------------
>Do you Yahoo!?
>New and Improved Yahoo! Mail - Send 10MB messages!

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/





More information about the Snort-users mailing list