[Snort-users] Failed to parse the IP address: $HOME_NET

Chiesa Stefano Stefano.Chiesa at ...15753...
Thu Aug 16 11:32:20 EDT 2012


Hello all.
I'm a newbie in Linux system management and is the first time I install
snort (barnyard2, snorby) and I need a help.
Everything is working quite fine at the moment, but I want to go ahead
and I'm facing a problem.


These are the details:

CentOS release 6.3 (Final)
Linux s-dr-snort 2.6.32-279.2.1.el6.x86_64 #1 SMP Fri Jul 20 01:55:29
UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

[root at ...15754... ~]# /usr/sbin/snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2.3 IPv6 GRE (Build 205)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.3.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

Rules updated every night via Pulledpork.
As a result I have a single rules file snort.rules.
I inseted the include statement in the snort.conf file: 

include $RULE_PATH/snort.rules

and disabled all other include lines.

This is the error:

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
WARNING: /etc/snort/../rules/snort.rules(12) threshold (in rule) is
deprecated; use detection_filter instead.

ERROR: /etc/snort/../rules/snort.rules(7073) !any is not allowed:
!$HOME_NET.
Fatal Error, Quitting..
+++++++++++++++++++++++++++++++++++++++++++++++++++

I understood I have to configure the HOME_NET variable (I have almost
all the variables at the "any" value).
But, and this is the main problem, no matter what I write to configure
the variable I always get an error.

ipvar H0ME_NET 212.239.x.x/25		w/o brackets
ipvar H0ME_NET [212.239.x.x/25]	w/ brackets
ipvar H0ME_NET [172.16.40.111] w/ single internal address

using 'ipvar' or simply 'var' I get these errors:

[root at ...15754... ~]# /usr/sbin/snort -T -d -i eth0 -u snort -g snort -c
/etc/snort/snort.conf -l /home/snort/log/eth0
Running in Test mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
ERROR: /etc/snort/snort.conf(55) Failed to parse the IP address:
$HOME_NET.
Fatal Error, Quitting..

(the line #55 is the first one that tries to use the variable: ipvar
DNS_SERVERS $HOME_NET

I read a number of post everywhere but I didn't find a solution.
Can someone help me?

Thanks in advance.

Stefano.


----------------------------------------
Stefano Chiesa
Wolters Kluwer Italia
Strada 1, Palazzo F6
20090 Milanofiori Assago (Mi) - Italia
Phone +39 0282476279 (20279 Voip)
Fax +39 0282476815


 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 25088 bytes
Desc: snort.conf
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120816/ca8b0b47/attachment.obj>


More information about the Snort-users mailing list