[Snort-users] Failed to parse the IP address: $HOME_NET
Robert.Craft at ...15608...
Thu Aug 16 14:35:59 EDT 2012
Here's the entry from my snort.conf:
# Setup the network addresses you are protecting
ipvar HOME_NET [172.30.0.0/16,172.26.0.0/16,192.168.0.0/16]
And it looks like you have a 0 (zero) in the " ipvar H0ME_NET", but that may be in just your message.
I lost count of how many times I've had to redo the .conf files before things were running the way I wanted them to.
From: Chiesa Stefano [mailto:Stefano.Chiesa at ...15753...]
Sent: Thursday, August 16, 2012 11:32 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Failed to parse the IP address: $HOME_NET
I'm a newbie in Linux system management and is the first time I install snort (barnyard2, snorby) and I need a help.
Everything is working quite fine at the moment, but I want to go ahead and I'm facing a problem.
These are the details:
CentOS release 6.3 (Final)
Linux s-dr-snort 2.6.32-279.2.1.el6.x86_64 #1 SMP Fri Jul 20 01:55:29 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
[root at ...15754... ~]# /usr/sbin/snort -V
,,_ -*> Snort! <*-
o" )~ Version 126.96.36.199 IPv6 GRE (Build 205)
'''' By Martin Roesch & The Snort Team:
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.3.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Rules updated every night via Pulledpork.
As a result I have a single rules file snort.rules.
I inseted the include statement in the snort.conf file:
and disabled all other include lines.
This is the error:
Initializing rule chains...
WARNING: /etc/snort/../rules/snort.rules(12) threshold (in rule) is deprecated; use detection_filter instead.
ERROR: /etc/snort/../rules/snort.rules(7073) !any is not allowed:
Fatal Error, Quitting..
I understood I have to configure the HOME_NET variable (I have almost all the variables at the "any" value).
But, and this is the main problem, no matter what I write to configure the variable I always get an error.
ipvar H0ME_NET 212.239.x.x/25 w/o brackets
ipvar H0ME_NET [212.239.x.x/25] w/ brackets
ipvar H0ME_NET [172.16.40.111] w/ single internal address
using 'ipvar' or simply 'var' I get these errors:
[root at ...15754... ~]# /usr/sbin/snort -T -d -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /home/snort/log/eth0 Running in Test mode
--== Initializing Snort ==--
Initializing Output Plugins!
Parsing Rules file "/etc/snort/snort.conf"
ERROR: /etc/snort/snort.conf(55) Failed to parse the IP address:
Fatal Error, Quitting..
(the line #55 is the first one that tries to use the variable: ipvar DNS_SERVERS $HOME_NET
I read a number of post everywhere but I didn't find a solution.
Can someone help me?
Thanks in advance.
Wolters Kluwer Italia
Strada 1, Palazzo F6
20090 Milanofiori Assago (Mi) - Italia
Phone +39 0282476279 (20279 Voip)
Fax +39 0282476815
More information about the Snort-users