[Snort-users] Snort Error

Paraskevas Lampadas parislampadas at ...11827...
Wed Jan 18 19:25:52 EST 2017


I'll check it, but as i see you are using snort 2.9.8.3. I am using latest,
2.9.9.0 i don't know if that changes anything

Με εκτίμηση,

Λαμπαδάς Πάρης
*Μηχανικός Πληροφορικής Τ.Ε.*
*Cisco Certified Network Associate*

On Thu, Jan 19, 2017 at 2:22 AM, Al Lewis (allewi) <allewi at ...589...> wrote:

> See attached. I just tested it with the -T and it runs fine.
>
>
> This is the sample (trimmed down config I used with your variables).
>
>
> # Setup the network addresses you are protecting
> *ipvar HOME_NET 192.168.10.0/24 <http://192.168.10.0/24>*
>
> # Set up the external network addresses. Leave as "any" in most situations
> *ipvar EXTERNAL_NET !$HOME_NET*
>
> preprocessor stream5_global: \
> max_tcp 8192, \
> track_tcp yes, \
> track_udp yes, \
> track_icmp no
> preprocessor stream5_tcp:
> preprocessor stream5_udp:
>
> preprocessor frag3_global:
> preprocessor frag3_engine:
>
>
> alert tcp HOME_NET any -> EXTERNAL_NET any ( msg:"test"; sid: 1000001; )
>
>
>
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi at ...589...
>
> From: Paraskevas Lampadas <parislampadas at ...11827...>
> Date: Wednesday, January 18, 2017 at 7:13 PM
>
> To: allewi <allewi at ...589...>
> Cc: 'snort-users' <snort-users at lists.sourceforge.net>, waldo kitty <
> wkitty42 at ...14940...>
> Subject: Re: [Snort-users] Snort Error
>
>
>
> Με εκτίμηση,
>
> Λαμπαδάς Πάρης
> *Μηχανικός Πληροφορικής Τ.Ε.*
> *Cisco Certified Network Associate*
>
> On Thu, Jan 19, 2017 at 2:08 AM, Al Lewis (allewi) <allewi at ...589...>
> wrote:
>
>> Please send a copy of your config.
>>
>> *Albert Lewis*
>>
>> ENGINEER.SOFTWARE ENGINEERING
>>
>> SOURCE*fire*, Inc. now part of *Cisco*
>>
>> Email: allewi at ...589...
>>
>> From: Paraskevas Lampadas <parislampadas at ...11827...>
>> Date: Wednesday, January 18, 2017 at 7:06 PM
>> To: allewi <allewi at ...589...>
>> Cc: 'snort-users' <snort-users at lists.sourceforge.net>, waldo kitty <
>> wkitty42 at ...14940...>
>>
>> Subject: Re: [Snort-users] Snort Error
>>
>> As I mentioned on my first message :
>>
>> Everything is fine except that i get alerts coming from my internal
>> network as attacks, which are false alarms. On /etc/snort/snort.conf i have
>> set the EXTERNAL NET as any.
>>
>> I tried to make as !$HOME NET, but then the snort fails to load at
>> startup. If i change it back to any everything works fine.
>>
>> How else can i avoid receiving alerts from my internal network?
>>
>> Στις 19 Ιαν 2017 02:03, ο χρήστης "Al Lewis (allewi)" <allewi at ...589...>
>> έγραψε:
>>
>>> Looks like you need to set EXTERNAL_NET to something.
>>>
>>> Take a look at the default config that comes with the download.
>>>
>>>
>>> cliffjumper$ less /var/tmp/snort-2.9.8.3/etc/snort.conf | grep EXTERNAL
>>> *ipvar EXTERNAL_NET any*
>>>
>>> *Albert Lewis*
>>>
>>> ENGINEER.SOFTWARE ENGINEERING
>>>
>>> SOURCE*fire*, Inc. now part of *Cisco*
>>>
>>> Email: allewi at ...589...
>>>
>>> From: Paraskevas Lampadas <parislampadas at ...11827...>
>>> Date: Wednesday, January 18, 2017 at 6:51 PM
>>> To: waldo kitty <wkitty42 at ...14940...>
>>> Cc: 'snort-users' <snort-users at lists.sourceforge.net>
>>> Subject: Re: [Snort-users] Snort Error
>>>
>>> " FATAL ERROR: /etc/snort/snort.conf(48) Missing argument to
>>> EXTERNAL_NET"
>>>
>>> The exact error message
>>>
>>> Με εκτίμηση,
>>>
>>> Λαμπαδάς Πάρης
>>> *Μηχανικός Πληροφορικής Τ.Ε.*
>>> *Cisco Certified Network Associate*
>>>
>>> On Thu, Jan 19, 2017 at 1:43 AM, Paraskevas Lampadas <
>>> parislampadas at ...11827...> wrote:
>>>
>>>> FATAL ERROR variable EXTERNAL_NET not set, or something like that.
>>>>
>>>> Με εκτίμηση,
>>>>
>>>> Λαμπαδάς Πάρης
>>>> *Μηχανικός Πληροφορικής Τ.Ε.*
>>>> *Cisco Certified Network Associate*
>>>>
>>>> On Wed, Jan 18, 2017 at 4:02 AM, <wkitty42 at ...14940...> wrote:
>>>>
>>>>> On 01/17/2017 04:37 PM, Paraskevas Lampadas wrote:
>>>>> > I tried to make as !$HOME NET, but then the snort fails to load at
>>>>> startup.
>>>>> > If i change it back to any everything works fine.
>>>>> >
>>>>> > How else can i avoid receiving alerts from my internal network?
>>>>>
>>>>> what is the exact error message given at startup when you set
>>>>> EXTERNAL_NET to
>>>>> !HOME_NET??
>>>>>
>>>>> --
>>>>>   NOTE: No off-list assistance is given without prior approval.
>>>>>         *Please keep mailing list traffic on the list* unless
>>>>>         private contact is specifically requested and granted.
>>>>>
>>>>> ------------------------------------------------------------
>>>>> ------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>>>>>
>>>>
>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170119/089940fa/attachment.html>


More information about the Snort-users mailing list