[Snort-users] FATAL ERROR: /etc/snort/rules/file-office.rules(32) Undefined variable in the string: $EXTERNAL_NET.

Jason Buker jason.buker at ...11827...
Tue Jan 7 05:05:42 EST 2014


Your rightŠ somehow I dorked up the config file.

This is what I have nowŠ but now I¹m getting a message about stream5
needing enabled.. 

1/7/14 1:03:32.537 PM snort[98265]: FATAL ERROR:
/etc/snort/rules/file-office.rules(32): Stream5 must be enabled to use the
'to_client' option.


My snort.conf:
var HOME_NET any

var EXTERNAL_NET any

var HTTP_PORTS 80

var FILE_DATA_PORTS [$HTTP_PORTS,110,143]

var RULE_PATH rules

var SO_RULE_PATH so_rules

var PREPROC_RULE_PATH preproc_rules

var WHITE_LIST_PATH /etc/snort/rules

var BLACK_LIST_PATH /etc/snort/rules

preprocessor sfportscan: proto  { all } \

                         memcap { 10000000 } \

                         scan_type { all } \

                         sense_level { low }

output unified2: filename snort.u2, limit 128

include $RULE_PATH/file-office.rules

include $RULE_PATH/file-other.rules

include $RULE_PATH/file-pdf.rules

include $RULE_PATH/indicator-compromise.rules

include $RULE_PATH/indicator-obfuscation.rules

include $RULE_PATH/policy-multimedia.rules

include $RULE_PATH/policy-other.rules

include $RULE_PATH/policy-social.rules

include $RULE_PATH/pua-p2p.rules

include $RULE_PATH/pua-toolbars.rules

include $RULE_PATH/server-mail.rules

include $PREPROC_RULE_PATH/preprocessor.rules

include $PREPROC_RULE_PATH/decoder.rules

include $PREPROC_RULE_PATH/sensitive-data.rules

include $SO_RULE_PATH/bad-traffic.rules

include $SO_RULE_PATH/chat.rules

include $SO_RULE_PATH/dos.rules

include $SO_RULE_PATH/exploit.rules

include $SO_RULE_PATH/icmp.rules

include $SO_RULE_PATH/imap.rules

include $SO_RULE_PATH/misc.rules

include $SO_RULE_PATH/multimedia.rules

include $SO_RULE_PATH/netbios.rules

include $SO_RULE_PATH/nntp.rules

include $SO_RULE_PATH/p2p.rules

include $SO_RULE_PATH/smtp.rules

include $SO_RULE_PATH/snmp.rules

include $SO_RULE_PATH/specific-threats.rules

include $SO_RULE_PATH/web-activex.rules

include $SO_RULE_PATH/web-client.rules

include $SO_RULE_PATH/web-iis.rules

include $SO_RULE_PATH/web-misc.rules



Thanks, 

Jason




On 1/7/14, 11:40 AM, "Jeremy Hoel" <jthoel at ...11827...> wrote:

>Looking at the message it looks like you have an error in your
>snort.conf; with the variable $EXTERNAL_NET.
>
>Post it to the list any maybe one of us can help you.
>
>On Mon, Jan 6, 2014 at 10:58 PM, Jason Buker <jason.buker at ...11827...>
>wrote:
>> Finally managed to get snort installed on OSX (Maverick)Š..
>>
>> However, the messages are showing up in the messages:
>> 1/7/14 8:55:28.042 AM snort[84645]:
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>> 1/7/14 8:55:28.042 AM snort[84645]: Initializing rule chains...
>> 1/7/14 8:55:28.043 AM snort[84645]: FATAL ERROR:
>> /etc/snort/rules/file-office.rules(32) Undefined variable in the string:
>> $EXTERNAL_NET.
>> 1/7/14 8:55:28.044 AM com.apple.launchd[1]: (org.snort.Snort[84645])
>>Exited
>> with code: 1
>> 1/7/14 8:55:28.044 AM com.apple.launchd[1]: (org.snort.Snort) Throttling
>> respawn: Will start in 10 seconds
>>
>>
>>
>> I¹m a snort newbie.  Anyone have a quick fix?
>>
>>
>> Thanks,
>> Jason
>>
>> 
>>-------------------------------------------------------------------------
>>-----
>> Rapidly troubleshoot problems before they affect your business. Most IT
>> organizations don't have a clear picture of how application performance
>> affects their revenue. With AppDynamics, you get 100% visibility into
>>your
>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>AppDynamics
>> Pro!
>> 
>>http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clkt
>>rk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>>Snort
>> news!






More information about the Snort-users mailing list