[Snort-users] FATAL ERROR: /etc/snort/rules/file-office.rules(32) Undefined variable in the string: $EXTERNAL_NET.

Joel Esler (jesler) jesler at ...589...
Tue Jan 7 11:56:35 EST 2014


Yes, good call.  This is what I was about to say.  Looks like you stripped everything you need out.

Start with a fresh snort.conf: http://www.snort.org/vrt/snort-conf-configurations/

and work from there.



On Jan 7, 2014, at 6:31 AM, Jason Buker <jason.buker at ...11827...> wrote:

> Instead of trying to fix a broken config… I started over.   :)
> 
> 
> It’s working now.  Thanks for the quick responses and help.
> 
> -Jason
> 
> 
> 
> 
> On 1/7/14, 1:24 PM, "Jason Buker" <jason.buker at ...11827...> wrote:
> 
>> Yeah, somehow I messed up my snort.conf.  I fixed the last FATAL but now I
>> have another one:
>> 
>> 1/7/14 1:23:18.305 PM snort[98762]: FATAL ERROR: /etc/snort/snort.conf(44)
>> Unknown rule type: 5250.
>> 
>> Your help is appreciated!
>> 
>> 
>> -Jason
>> 
>> On 1/7/14, 1:05 PM, "Jason Buker" <jason.buker at ...11827...> wrote:
>> 
>>> Your rightŠ somehow I dorked up the config file.
>>> 
>>> This is what I have nowŠ but now I¹m getting a message about stream5
>>> needing enabled..
>>> 
>>> 1/7/14 1:03:32.537 PM snort[98265]: FATAL ERROR:
>>> /etc/snort/rules/file-office.rules(32): Stream5 must be enabled to use
>>> the
>>> 'to_client' option.
>>> 
>>> 
>>> My snort.conf:
>>> var HOME_NET any
>>> 
>>> var EXTERNAL_NET any
>>> 
>>> var HTTP_PORTS 80
>>> 
>>> var FILE_DATA_PORTS [$HTTP_PORTS,110,143]
>>> 
>>> var RULE_PATH rules
>>> 
>>> var SO_RULE_PATH so_rules
>>> 
>>> var PREPROC_RULE_PATH preproc_rules
>>> 
>>> var WHITE_LIST_PATH /etc/snort/rules
>>> 
>>> var BLACK_LIST_PATH /etc/snort/rules
>>> 
>>> preprocessor sfportscan: proto  { all } \
>>> 
>>>                        memcap { 10000000 } \
>>> 
>>>                        scan_type { all } \
>>> 
>>>                        sense_level { low }
>>> 
>>> output unified2: filename snort.u2, limit 128
>>> 
>>> include $RULE_PATH/file-office.rules
>>> 
>>> include $RULE_PATH/file-other.rules
>>> 
>>> include $RULE_PATH/file-pdf.rules
>>> 
>>> include $RULE_PATH/indicator-compromise.rules
>>> 
>>> include $RULE_PATH/indicator-obfuscation.rules
>>> 
>>> include $RULE_PATH/policy-multimedia.rules
>>> 
>>> include $RULE_PATH/policy-other.rules
>>> 
>>> include $RULE_PATH/policy-social.rules
>>> 
>>> include $RULE_PATH/pua-p2p.rules
>>> 
>>> include $RULE_PATH/pua-toolbars.rules
>>> 
>>> include $RULE_PATH/server-mail.rules
>>> 
>>> include $PREPROC_RULE_PATH/preprocessor.rules
>>> 
>>> include $PREPROC_RULE_PATH/decoder.rules
>>> 
>>> include $PREPROC_RULE_PATH/sensitive-data.rules
>>> 
>>> include $SO_RULE_PATH/bad-traffic.rules
>>> 
>>> include $SO_RULE_PATH/chat.rules
>>> 
>>> include $SO_RULE_PATH/dos.rules
>>> 
>>> include $SO_RULE_PATH/exploit.rules
>>> 
>>> include $SO_RULE_PATH/icmp.rules
>>> 
>>> include $SO_RULE_PATH/imap.rules
>>> 
>>> include $SO_RULE_PATH/misc.rules
>>> 
>>> include $SO_RULE_PATH/multimedia.rules
>>> 
>>> include $SO_RULE_PATH/netbios.rules
>>> 
>>> include $SO_RULE_PATH/nntp.rules
>>> 
>>> include $SO_RULE_PATH/p2p.rules
>>> 
>>> include $SO_RULE_PATH/smtp.rules
>>> 
>>> include $SO_RULE_PATH/snmp.rules
>>> 
>>> include $SO_RULE_PATH/specific-threats.rules
>>> 
>>> include $SO_RULE_PATH/web-activex.rules
>>> 
>>> include $SO_RULE_PATH/web-client.rules
>>> 
>>> include $SO_RULE_PATH/web-iis.rules
>>> 
>>> include $SO_RULE_PATH/web-misc.rules
>>> 
>>> 
>>> 
>>> Thanks, 
>>> 
>>> Jason
>>> 
>>> 
>>> 
>>> 
>>> On 1/7/14, 11:40 AM, "Jeremy Hoel" <jthoel at ...11827...> wrote:
>>> 
>>>> Looking at the message it looks like you have an error in your
>>>> snort.conf; with the variable $EXTERNAL_NET.
>>>> 
>>>> Post it to the list any maybe one of us can help you.
>>>> 
>>>> On Mon, Jan 6, 2014 at 10:58 PM, Jason Buker <jason.buker at ...11827...>
>>>> wrote:
>>>>> Finally managed to get snort installed on OSX (Maverick)Š..
>>>>> 
>>>>> However, the messages are showing up in the messages:
>>>>> 1/7/14 8:55:28.042 AM snort[84645]:
>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>> 1/7/14 8:55:28.042 AM snort[84645]: Initializing rule chains...
>>>>> 1/7/14 8:55:28.043 AM snort[84645]: FATAL ERROR:
>>>>> /etc/snort/rules/file-office.rules(32) Undefined variable in the
>>>>> string:
>>>>> $EXTERNAL_NET.
>>>>> 1/7/14 8:55:28.044 AM com.apple.launchd[1]: (org.snort.Snort[84645])
>>>>> Exited
>>>>> with code: 1
>>>>> 1/7/14 8:55:28.044 AM com.apple.launchd[1]: (org.snort.Snort)
>>>>> Throttling
>>>>> respawn: Will start in 10 seconds
>>>>> 
>>>>> 
>>>>> 
>>>>> I¹m a snort newbie.  Anyone have a quick fix?
>>>>> 
>>>>> 
>>>>> Thanks,
>>>>> Jason
>>>>> 
>>>>> 
>>>>> -----------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> -----
>>>>> Rapidly troubleshoot problems before they affect your business. Most
>>>>> IT
>>>>> organizations don't have a clear picture of how application
>>>>> performance
>>>>> affects their revenue. With AppDynamics, you get 100% visibility into
>>>>> your
>>>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>>>> AppDynamics
>>>>> Pro!
>>>>> 
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.cl
>>>>> k
>>>>> t
>>>>> rk
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>> 
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort
>>>>> news!
>>> 
>>> 
>> 
>> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT 
> organizations don't have a clear picture of how application performance 
> affects their revenue. With AppDynamics, you get 100% visibility into your 
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140107/38bc2fe2/attachment.sig>


More information about the Snort-users mailing list