[Snort-users] FATAL ERROR: /etc/snort/rules/file-office.rules(32) Undefined variable in the string: $EXTERNAL_NET.

Jason Buker jason.buker at ...11827...
Tue Jan 7 06:31:38 EST 2014


Instead of trying to fix a broken config… I started over.   :)


It’s working now.  Thanks for the quick responses and help.

-Jason




On 1/7/14, 1:24 PM, "Jason Buker" <jason.buker at ...11827...> wrote:

>Yeah, somehow I messed up my snort.conf.  I fixed the last FATAL but now I
>have another one:
>
>1/7/14 1:23:18.305 PM snort[98762]: FATAL ERROR: /etc/snort/snort.conf(44)
>Unknown rule type: 5250.
>
>Your help is appreciated!
>
>
>-Jason
>
>On 1/7/14, 1:05 PM, "Jason Buker" <jason.buker at ...11827...> wrote:
>
>>Your right? somehow I dorked up the config file.
>>
>>This is what I have now? but now I¹m getting a message about stream5
>>needing enabled..
>>
>>1/7/14 1:03:32.537 PM snort[98265]: FATAL ERROR:
>>/etc/snort/rules/file-office.rules(32): Stream5 must be enabled to use
>>the
>>'to_client' option.
>>
>>
>>My snort.conf:
>>var HOME_NET any
>>
>>var EXTERNAL_NET any
>>
>>var HTTP_PORTS 80
>>
>>var FILE_DATA_PORTS [$HTTP_PORTS,110,143]
>>
>>var RULE_PATH rules
>>
>>var SO_RULE_PATH so_rules
>>
>>var PREPROC_RULE_PATH preproc_rules
>>
>>var WHITE_LIST_PATH /etc/snort/rules
>>
>>var BLACK_LIST_PATH /etc/snort/rules
>>
>>preprocessor sfportscan: proto  { all } \
>>
>>                         memcap { 10000000 } \
>>
>>                         scan_type { all } \
>>
>>                         sense_level { low }
>>
>>output unified2: filename snort.u2, limit 128
>>
>>include $RULE_PATH/file-office.rules
>>
>>include $RULE_PATH/file-other.rules
>>
>>include $RULE_PATH/file-pdf.rules
>>
>>include $RULE_PATH/indicator-compromise.rules
>>
>>include $RULE_PATH/indicator-obfuscation.rules
>>
>>include $RULE_PATH/policy-multimedia.rules
>>
>>include $RULE_PATH/policy-other.rules
>>
>>include $RULE_PATH/policy-social.rules
>>
>>include $RULE_PATH/pua-p2p.rules
>>
>>include $RULE_PATH/pua-toolbars.rules
>>
>>include $RULE_PATH/server-mail.rules
>>
>>include $PREPROC_RULE_PATH/preprocessor.rules
>>
>>include $PREPROC_RULE_PATH/decoder.rules
>>
>>include $PREPROC_RULE_PATH/sensitive-data.rules
>>
>>include $SO_RULE_PATH/bad-traffic.rules
>>
>>include $SO_RULE_PATH/chat.rules
>>
>>include $SO_RULE_PATH/dos.rules
>>
>>include $SO_RULE_PATH/exploit.rules
>>
>>include $SO_RULE_PATH/icmp.rules
>>
>>include $SO_RULE_PATH/imap.rules
>>
>>include $SO_RULE_PATH/misc.rules
>>
>>include $SO_RULE_PATH/multimedia.rules
>>
>>include $SO_RULE_PATH/netbios.rules
>>
>>include $SO_RULE_PATH/nntp.rules
>>
>>include $SO_RULE_PATH/p2p.rules
>>
>>include $SO_RULE_PATH/smtp.rules
>>
>>include $SO_RULE_PATH/snmp.rules
>>
>>include $SO_RULE_PATH/specific-threats.rules
>>
>>include $SO_RULE_PATH/web-activex.rules
>>
>>include $SO_RULE_PATH/web-client.rules
>>
>>include $SO_RULE_PATH/web-iis.rules
>>
>>include $SO_RULE_PATH/web-misc.rules
>>
>>
>>
>>Thanks, 
>>
>>Jason
>>
>>
>>
>>
>>On 1/7/14, 11:40 AM, "Jeremy Hoel" <jthoel at ...11827...> wrote:
>>
>>>Looking at the message it looks like you have an error in your
>>>snort.conf; with the variable $EXTERNAL_NET.
>>>
>>>Post it to the list any maybe one of us can help you.
>>>
>>>On Mon, Jan 6, 2014 at 10:58 PM, Jason Buker <jason.buker at ...11827...>
>>>wrote:
>>>> Finally managed to get snort installed on OSX (Maverick)?..
>>>>
>>>> However, the messages are showing up in the messages:
>>>> 1/7/14 8:55:28.042 AM snort[84645]:
>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>>> 1/7/14 8:55:28.042 AM snort[84645]: Initializing rule chains...
>>>> 1/7/14 8:55:28.043 AM snort[84645]: FATAL ERROR:
>>>> /etc/snort/rules/file-office.rules(32) Undefined variable in the
>>>>string:
>>>> $EXTERNAL_NET.
>>>> 1/7/14 8:55:28.044 AM com.apple.launchd[1]: (org.snort.Snort[84645])
>>>>Exited
>>>> with code: 1
>>>> 1/7/14 8:55:28.044 AM com.apple.launchd[1]: (org.snort.Snort)
>>>>Throttling
>>>> respawn: Will start in 10 seconds
>>>>
>>>>
>>>>
>>>> I¹m a snort newbie.  Anyone have a quick fix?
>>>>
>>>>
>>>> Thanks,
>>>> Jason
>>>>
>>>> 
>>>>-----------------------------------------------------------------------
>>>>-
>>>>-
>>>>-----
>>>> Rapidly troubleshoot problems before they affect your business. Most
>>>>IT
>>>> organizations don't have a clear picture of how application
>>>>performance
>>>> affects their revenue. With AppDynamics, you get 100% visibility into
>>>>your
>>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>>>AppDynamics
>>>> Pro!
>>>> 
>>>>http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.cl
>>>>k
>>>>t
>>>>rk
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>Snort
>>>> news!
>>
>>
>
>






More information about the Snort-users mailing list