[Snort-users] Snort Error

Paraskevas Lampadas parislampadas at ...11827...
Wed Jan 18 19:49:17 EST 2017


It looks to work fine now!
Thanks a lot!

Με εκτίμηση,

Λαμπαδάς Πάρης
*Μηχανικός Πληροφορικής Τ.Ε.*
*Cisco Certified Network Associate*

On Thu, Jan 19, 2017 at 2:35 AM, Al Lewis (allewi) <allewi at ...589...> wrote:

> Same result. See attached.
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi at ...589...
>
> From: Paraskevas Lampadas <parislampadas at ...11827...>
> Date: Wednesday, January 18, 2017 at 7:25 PM
>
> To: allewi <allewi at ...589...>
> Cc: 'snort-users' <snort-users at lists.sourceforge.net>, waldo kitty <
> wkitty42 at ...14940...>
> Subject: Re: [Snort-users] Snort Error
>
> I'll check it, but as i see you are using snort 2.9.8.3. I am using
> latest, 2.9.9.0 i don't know if that changes anything
>
> Με εκτίμηση,
>
> Λαμπαδάς Πάρης
> *Μηχανικός Πληροφορικής Τ.Ε.*
> *Cisco Certified Network Associate*
>
> On Thu, Jan 19, 2017 at 2:22 AM, Al Lewis (allewi) <allewi at ...589...>
> wrote:
>
>> See attached. I just tested it with the -T and it runs fine.
>>
>>
>> This is the sample (trimmed down config I used with your variables).
>>
>>
>> # Setup the network addresses you are protecting
>> *ipvar HOME_NET 192.168.10.0/24 <http://192.168.10.0/24>*
>>
>> # Set up the external network addresses. Leave as "any" in most situations
>> *ipvar EXTERNAL_NET !$HOME_NET*
>>
>> preprocessor stream5_global: \
>> max_tcp 8192, \
>> track_tcp yes, \
>> track_udp yes, \
>> track_icmp no
>> preprocessor stream5_tcp:
>> preprocessor stream5_udp:
>>
>> preprocessor frag3_global:
>> preprocessor frag3_engine:
>>
>>
>> alert tcp HOME_NET any -> EXTERNAL_NET any ( msg:"test"; sid: 1000001; )
>>
>>
>>
>>
>>
>> *Albert Lewis*
>>
>> ENGINEER.SOFTWARE ENGINEERING
>>
>> SOURCE*fire*, Inc. now part of *Cisco*
>>
>> Email: allewi at ...589...
>>
>> From: Paraskevas Lampadas <parislampadas at ...11827...>
>> Date: Wednesday, January 18, 2017 at 7:13 PM
>>
>> To: allewi <allewi at ...589...>
>> Cc: 'snort-users' <snort-users at lists.sourceforge.net>, waldo kitty <
>> wkitty42 at ...14940...>
>> Subject: Re: [Snort-users] Snort Error
>>
>>
>>
>> Με εκτίμηση,
>>
>> Λαμπαδάς Πάρης
>> *Μηχανικός Πληροφορικής Τ.Ε.*
>> *Cisco Certified Network Associate*
>>
>> On Thu, Jan 19, 2017 at 2:08 AM, Al Lewis (allewi) <allewi at ...589...>
>> wrote:
>>
>>> Please send a copy of your config.
>>>
>>> *Albert Lewis*
>>>
>>> ENGINEER.SOFTWARE ENGINEERING
>>>
>>> SOURCE*fire*, Inc. now part of *Cisco*
>>>
>>> Email: allewi at ...589...
>>>
>>> From: Paraskevas Lampadas <parislampadas at ...11827...>
>>> Date: Wednesday, January 18, 2017 at 7:06 PM
>>> To: allewi <allewi at ...589...>
>>> Cc: 'snort-users' <snort-users at lists.sourceforge.net>, waldo kitty <
>>> wkitty42 at ...14940...>
>>>
>>> Subject: Re: [Snort-users] Snort Error
>>>
>>> As I mentioned on my first message :
>>>
>>> Everything is fine except that i get alerts coming from my internal
>>> network as attacks, which are false alarms. On /etc/snort/snort.conf i have
>>> set the EXTERNAL NET as any.
>>>
>>> I tried to make as !$HOME NET, but then the snort fails to load at
>>> startup. If i change it back to any everything works fine.
>>>
>>> How else can i avoid receiving alerts from my internal network?
>>>
>>> Στις 19 Ιαν 2017 02:03, ο χρήστης "Al Lewis (allewi)" <allewi at ...16731.....>
>>> έγραψε:
>>>
>>>> Looks like you need to set EXTERNAL_NET to something.
>>>>
>>>> Take a look at the default config that comes with the download.
>>>>
>>>>
>>>> cliffjumper$ less /var/tmp/snort-2.9.8.3/etc/snort.conf | grep EXTERNAL
>>>> *ipvar EXTERNAL_NET any*
>>>>
>>>> *Albert Lewis*
>>>>
>>>> ENGINEER.SOFTWARE ENGINEERING
>>>>
>>>> SOURCE*fire*, Inc. now part of *Cisco*
>>>>
>>>> Email: allewi at ...589...
>>>>
>>>> From: Paraskevas Lampadas <parislampadas at ...11827...>
>>>> Date: Wednesday, January 18, 2017 at 6:51 PM
>>>> To: waldo kitty <wkitty42 at ...14940...>
>>>> Cc: 'snort-users' <snort-users at lists.sourceforge.net>
>>>> Subject: Re: [Snort-users] Snort Error
>>>>
>>>> " FATAL ERROR: /etc/snort/snort.conf(48) Missing argument to
>>>> EXTERNAL_NET"
>>>>
>>>> The exact error message
>>>>
>>>> Με εκτίμηση,
>>>>
>>>> Λαμπαδάς Πάρης
>>>> *Μηχανικός Πληροφορικής Τ.Ε.*
>>>> *Cisco Certified Network Associate*
>>>>
>>>> On Thu, Jan 19, 2017 at 1:43 AM, Paraskevas Lampadas <
>>>> parislampadas at ...11827...> wrote:
>>>>
>>>>> FATAL ERROR variable EXTERNAL_NET not set, or something like that.
>>>>>
>>>>> Με εκτίμηση,
>>>>>
>>>>> Λαμπαδάς Πάρης
>>>>> *Μηχανικός Πληροφορικής Τ.Ε.*
>>>>> *Cisco Certified Network Associate*
>>>>>
>>>>> On Wed, Jan 18, 2017 at 4:02 AM, <wkitty42 at ...14940...> wrote:
>>>>>
>>>>>> On 01/17/2017 04:37 PM, Paraskevas Lampadas wrote:
>>>>>> > I tried to make as !$HOME NET, but then the snort fails to load at
>>>>>> startup.
>>>>>> > If i change it back to any everything works fine.
>>>>>> >
>>>>>> > How else can i avoid receiving alerts from my internal network?
>>>>>>
>>>>>> what is the exact error message given at startup when you set
>>>>>> EXTERNAL_NET to
>>>>>> !HOME_NET??
>>>>>>
>>>>>> --
>>>>>>   NOTE: No off-list assistance is given without prior approval.
>>>>>>         *Please keep mailing list traffic on the list* unless
>>>>>>         private contact is specifically requested and granted.
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>
>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>> Snort news!
>>>>>>
>>>>>
>>>>>
>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170119/ab68c64b/attachment.html>


More information about the Snort-users mailing list