[Snort-users] Failed to parse the IP address: $HOME_NET

Dave Venman dave.venman at ...1396...
Thu Aug 16 17:49:09 EDT 2012


Hmmm.  See inline below with >>>>

On 16 August 2012 16:32, Chiesa Stefano <Stefano.Chiesa at ...15753...> wrote:

> Hello all.
> I'm a newbie in Linux system management and is the first time I install
> snort (barnyard2, snorby) and I need a help.
> Everything is working quite fine at the moment, but I want to go ahead
> and I'm facing a problem.
>
>
> These are the details:
>
> CentOS release 6.3 (Final)
> Linux s-dr-snort 2.6.32-279.2.1.el6.x86_64 #1 SMP Fri Jul 20 01:55:29
> UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> [root at ...15754... ~]# /usr/sbin/snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.2.3 IPv6 GRE (Build 205)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using libpcap version 1.3.0
>            Using PCRE version: 7.8 2008-09-05
>            Using ZLIB version: 1.2.3
>
> Rules updated every night via Pulledpork.
> As a result I have a single rules file snort.rules.
> I inseted the include statement in the snort.conf file:
>
> include $RULE_PATH/snort.rules
>
> and disabled all other include lines.
>
> This is the error:
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> WARNING: /etc/snort/../rules/snort.rules(12) threshold (in rule) is
> deprecated; use detection_filter instead.
>
> ERROR: /etc/snort/../rules/snort.rules(7073) !any is not allowed:
> !$HOME_NET.
> Fatal Error, Quitting..
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> I understood I have to configure the HOME_NET variable (I have almost
> all the variables at the "any" value).
> But, and this is the main problem, no matter what I write to configure
> the variable I always get an error.
>
> ipvar H0ME_NET 212.239.x.x/25           w/o brackets
> ipvar H0ME_NET [212.239.x.x/25] w/ brackets
> ipvar H0ME_NET [172.16.40.111] w/ single internal address
>

>>>>  Have you pasted those lines from your snort.conf ?
>>>>
>>>> If so, is it H <capital O> ME_NET or H <zero> ME_NET ?
>>>>
>>>> HOME_NET compared to H0ME_NET ?

>
> using 'ipvar' or simply 'var' I get these errors:
>
> [root at ...15754... ~]# /usr/sbin/snort -T -d -i eth0 -u snort -g snort -c
> /etc/snort/snort.conf -l /home/snort/log/eth0
> Running in Test mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/etc/snort/snort.conf"
> ERROR: /etc/snort/snort.conf(55) Failed to parse the IP address:
> $HOME_NET.
> Fatal Error, Quitting..
>
> (the line #55 is the first one that tries to use the variable: ipvar
> DNS_SERVERS $HOME_NET
>
> I read a number of post everywhere but I didn't find a solution.
> Can someone help me?
>
> Thanks in advance.
>
> Stefano.
>
>
> ----------------------------------------
> Stefano Chiesa
> Wolters Kluwer Italia
> Strada 1, Palazzo F6
> 20090 Milanofiori Assago (Mi) - Italia
> Phone +39 0282476279 (20279 Voip)
> Fax +39 0282476815
>
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Dave Venman,
Security Engineer Manager, Sourcefire EMEA
Email:   dave dot  venman at  sourcefire dot .com<dave.venman at ...1935...>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120816/148af6cb/attachment.html>


More information about the Snort-users mailing list