[Snort-users] R: Failed to parse the IP address: $HOME_NET - []
Stefano.Chiesa at ...15753...
Fri Aug 17 08:02:37 EDT 2012
Thanks to everyone (Eoin, James, Joel, Dave, Robert & John) for the time wasted to help me.
All of you were right: a ZERO instead of capital 'o'.
Actually when I read the Eoin message for one second I hoped he was wrong...!
Too silly.... I have just an excuse. The WinSCP internal text editor use the same char for O and zero, so impossible to see. I had to do a 'Search' to discover that lines...
Anyway I wrote a zero instead a O, so....
Thanks to everybody again. Have a nice week end.
Da: Eoin Miller [mailto:eoin.miller at ...14586...]
Inviato: giovedì 16 agosto 2012 18.08
A: Chiesa Stefano
Oggetto: Re: [Snort-users] Failed to parse the IP address: $HOME_NET - []
I could be wrong, but it looks like your conf file has:
0 vs O / zero versus capital Oh
On 8/16/2012 15:32, Chiesa Stefano wrote:
> Hello all.
> I'm a newbie in Linux system management and is the first time I install
> snort (barnyard2, snorby) and I need a help.
> Everything is working quite fine at the moment, but I want to go ahead
> and I'm facing a problem.
> These are the details:
> CentOS release 6.3 (Final)
> Linux s-dr-snort 2.6.32-279.2.1.el6.x86_64 #1 SMP Fri Jul 20 01:55:29
> UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
> [root at ...15754... ~]# /usr/sbin/snort -V
> ,,_ -*> Snort! <*-
> o" )~ Version 22.214.171.124 IPv6 GRE (Build 205)
> '''' By Martin Roesch & The Snort Team:
> Copyright (C) 1998-2012 Sourcefire, Inc., et al.
> Using libpcap version 1.3.0
> Using PCRE version: 7.8 2008-09-05
> Using ZLIB version: 1.2.3
> Rules updated every night via Pulledpork.
> As a result I have a single rules file snort.rules.
> I inseted the include statement in the snort.conf file:
> include $RULE_PATH/snort.rules
> and disabled all other include lines.
> This is the error:
> Initializing rule chains...
> WARNING: /etc/snort/../rules/snort.rules(12) threshold (in rule) is
> deprecated; use detection_filter instead.
> ERROR: /etc/snort/../rules/snort.rules(7073) !any is not allowed:
> Fatal Error, Quitting..
> I understood I have to configure the HOME_NET variable (I have almost
> all the variables at the "any" value).
> But, and this is the main problem, no matter what I write to configure
> the variable I always get an error.
> ipvar H0ME_NET 212.239.x.x/25 w/o brackets
> ipvar H0ME_NET [212.239.x.x/25] w/ brackets
> ipvar H0ME_NET [172.16.40.111] w/ single internal address
> using 'ipvar' or simply 'var' I get these errors:
> [root at ...15754... ~]# /usr/sbin/snort -T -d -i eth0 -u snort -g snort -c
> /etc/snort/snort.conf -l /home/snort/log/eth0
> Running in Test mode
> --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/etc/snort/snort.conf"
> ERROR: /etc/snort/snort.conf(55) Failed to parse the IP address:
> Fatal Error, Quitting..
> (the line #55 is the first one that tries to use the variable: ipvar
> DNS_SERVERS $HOME_NET
> I read a number of post everywhere but I didn't find a solution.
> Can someone help me?
> Thanks in advance.
> Stefano Chiesa
> Wolters Kluwer Italia
> Strada 1, Palazzo F6
> 20090 Milanofiori Assago (Mi) - Italia
> Phone +39 0282476279 (20279 Voip)
> Fax +39 0282476815
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users