[Snort-users] R: Failed to parse the IP address: $HOME_NET - [[]]

Chiesa Stefano Stefano.Chiesa at ...15753...
Fri Aug 17 08:02:37 EDT 2012


Thanks to everyone (Eoin, James, Joel, Dave, Robert & John) for the time wasted to help me. 

All of you were right: a ZERO instead of capital 'o'. 

Actually when I read the Eoin message for one second I hoped he was wrong...!
Too silly.... I have just an excuse. The WinSCP internal text editor use the same char for O and zero, so impossible to see. I had to do a 'Search' to discover that lines...
Anyway I wrote a zero instead a O, so....

Thanks to everybody again. Have a nice week end.

Stefano.

-----Messaggio originale-----
Da: Eoin Miller [mailto:eoin.miller at ...14586...] 
Inviato: giovedì 16 agosto 2012 18.08
A: Chiesa Stefano
Oggetto: Re: [Snort-users] Failed to parse the IP address: $HOME_NET - [[]]

I could be wrong, but it looks like your conf file has:

H0ME_NET

instead of:

HOME_NET

0 vs O / zero versus capital Oh

-- Eoin

On 8/16/2012 15:32, Chiesa Stefano wrote:
> Hello all.
> I'm a newbie in Linux system management and is the first time I install
> snort (barnyard2, snorby) and I need a help.
> Everything is working quite fine at the moment, but I want to go ahead
> and I'm facing a problem.
> 
> 
> These are the details:
> 
> CentOS release 6.3 (Final)
> Linux s-dr-snort 2.6.32-279.2.1.el6.x86_64 #1 SMP Fri Jul 20 01:55:29
> UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
> 
> [root at ...15754... ~]# /usr/sbin/snort -V
> 
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.2.3 IPv6 GRE (Build 205)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using libpcap version 1.3.0
>            Using PCRE version: 7.8 2008-09-05
>            Using ZLIB version: 1.2.3
> 
> Rules updated every night via Pulledpork.
> As a result I have a single rules file snort.rules.
> I inseted the include statement in the snort.conf file: 
> 
> include $RULE_PATH/snort.rules
> 
> and disabled all other include lines.
> 
> This is the error:
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> WARNING: /etc/snort/../rules/snort.rules(12) threshold (in rule) is
> deprecated; use detection_filter instead.
> 
> ERROR: /etc/snort/../rules/snort.rules(7073) !any is not allowed:
> !$HOME_NET.
> Fatal Error, Quitting..
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> I understood I have to configure the HOME_NET variable (I have almost
> all the variables at the "any" value).
> But, and this is the main problem, no matter what I write to configure
> the variable I always get an error.
> 
> ipvar H0ME_NET 212.239.x.x/25		w/o brackets
> ipvar H0ME_NET [212.239.x.x/25]	w/ brackets
> ipvar H0ME_NET [172.16.40.111] w/ single internal address
> 
> using 'ipvar' or simply 'var' I get these errors:
> 
> [root at ...15754... ~]# /usr/sbin/snort -T -d -i eth0 -u snort -g snort -c
> /etc/snort/snort.conf -l /home/snort/log/eth0
> Running in Test mode
> 
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/etc/snort/snort.conf"
> ERROR: /etc/snort/snort.conf(55) Failed to parse the IP address:
> $HOME_NET.
> Fatal Error, Quitting..
> 
> (the line #55 is the first one that tries to use the variable: ipvar
> DNS_SERVERS $HOME_NET
> 
> I read a number of post everywhere but I didn't find a solution.
> Can someone help me?
> 
> Thanks in advance.
> 
> Stefano.
> 
> 
> ----------------------------------------
> Stefano Chiesa
> Wolters Kluwer Italia
> Strada 1, Palazzo F6
> 20090 Milanofiori Assago (Mi) - Italia
> Phone +39 0282476279 (20279 Voip)
> Fax +39 0282476815
> 
> 
>  
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 





More information about the Snort-users mailing list