[Snort-users] Snort-users Digest, Vol 128, Issue 41

Eric Boettner eric.boettner at ...11827...
Wed Jan 18 19:56:28 EST 2017


Unsubscribe 

Get Outlook for iOS




On Wed, Jan 18, 2017 at 7:53 PM -0500, <snort-users-request at ...3471...ge.net> wrote:










Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-owner at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim your response.

Today's Topics:

   1. Re: Snort Error (Paraskevas Lampadas)


----------------------------------------------------------------------

Message: 1
Date: Thu, 19 Jan 2017 02:49:17 +0200
From: Paraskevas Lampadas 
Subject: Re: [Snort-users] Snort Error
To: "Al Lewis (allewi)" 
Cc: "snort-users at lists.sourceforge.net"
	
Message-ID:
	
Content-Type: text/plain; charset="utf-8"

It looks to work fine now!
Thanks a lot!

?? ????????,

???????? ?????
*????????? ???????????? ?.?.*
*Cisco Certified Network Associate*

On Thu, Jan 19, 2017 at 2:35 AM, Al Lewis (allewi)  wrote:

> Same result. See attached.
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi at ...589...
>
> From: Paraskevas Lampadas 
> Date: Wednesday, January 18, 2017 at 7:25 PM
>
> To: allewi 
> Cc: 'snort-users' , waldo kitty <
> wkitty42 at ...14940...>
> Subject: Re: [Snort-users] Snort Error
>
> I'll check it, but as i see you are using snort 2.9.8.3. I am using
> latest, 2.9.9.0 i don't know if that changes anything
>
> ?? ????????,
>
> ???????? ?????
> *????????? ???????????? ?.?.*
> *Cisco Certified Network Associate*
>
> On Thu, Jan 19, 2017 at 2:22 AM, Al Lewis (allewi) 
> wrote:
>
>> See attached. I just tested it with the -T and it runs fine.
>>
>>
>> This is the sample (trimmed down config I used with your variables).
>>
>>
>> # Setup the network addresses you are protecting
>> *ipvar HOME_NET 192.168.10.0/24 *
>>
>> # Set up the external network addresses. Leave as "any" in most situations
>> *ipvar EXTERNAL_NET !$HOME_NET*
>>
>> preprocessor stream5_global: \
>> max_tcp 8192, \
>> track_tcp yes, \
>> track_udp yes, \
>> track_icmp no
>> preprocessor stream5_tcp:
>> preprocessor stream5_udp:
>>
>> preprocessor frag3_global:
>> preprocessor frag3_engine:
>>
>>
>> alert tcp HOME_NET any -> EXTERNAL_NET any ( msg:"test"; sid: 1000001; )
>>
>>
>>
>>
>>
>> *Albert Lewis*
>>
>> ENGINEER.SOFTWARE ENGINEERING
>>
>> SOURCE*fire*, Inc. now part of *Cisco*
>>
>> Email: allewi at ...589...
>>
>> From: Paraskevas Lampadas 
>> Date: Wednesday, January 18, 2017 at 7:13 PM
>>
>> To: allewi 
>> Cc: 'snort-users' , waldo kitty <
>> wkitty42 at ...14940...>
>> Subject: Re: [Snort-users] Snort Error
>>
>>
>>
>> ?? ????????,
>>
>> ???????? ?????
>> *????????? ???????????? ?.?.*
>> *Cisco Certified Network Associate*
>>
>> On Thu, Jan 19, 2017 at 2:08 AM, Al Lewis (allewi) 
>> wrote:
>>
>>> Please send a copy of your config.
>>>
>>> *Albert Lewis*
>>>
>>> ENGINEER.SOFTWARE ENGINEERING
>>>
>>> SOURCE*fire*, Inc. now part of *Cisco*
>>>
>>> Email: allewi at ...589...
>>>
>>> From: Paraskevas Lampadas 
>>> Date: Wednesday, January 18, 2017 at 7:06 PM
>>> To: allewi 
>>> Cc: 'snort-users' , waldo kitty <
>>> wkitty42 at ...14940...>
>>>
>>> Subject: Re: [Snort-users] Snort Error
>>>
>>> As I mentioned on my first message :
>>>
>>> Everything is fine except that i get alerts coming from my internal
>>> network as attacks, which are false alarms. On /etc/snort/snort.conf i have
>>> set the EXTERNAL NET as any.
>>>
>>> I tried to make as !$HOME NET, but then the snort fails to load at
>>> startup. If i change it back to any everything works fine.
>>>
>>> How else can i avoid receiving alerts from my internal network?
>>>
>>> ???? 19 ??? 2017 02:03, ? ??????? "Al Lewis (allewi)" 
>>> ??????:
>>>
>>>> Looks like you need to set EXTERNAL_NET to something.
>>>>
>>>> Take a look at the default config that comes with the download.
>>>>
>>>>
>>>> cliffjumper$ less /var/tmp/snort-2.9.8.3/etc/snort.conf | grep EXTERNAL
>>>> *ipvar EXTERNAL_NET any*
>>>>
>>>> *Albert Lewis*
>>>>
>>>> ENGINEER.SOFTWARE ENGINEERING
>>>>
>>>> SOURCE*fire*, Inc. now part of *Cisco*
>>>>
>>>> Email: allewi at ...589...
>>>>
>>>> From: Paraskevas Lampadas 
>>>> Date: Wednesday, January 18, 2017 at 6:51 PM
>>>> To: waldo kitty 
>>>> Cc: 'snort-users' 
>>>> Subject: Re: [Snort-users] Snort Error
>>>>
>>>> " FATAL ERROR: /etc/snort/snort.conf(48) Missing argument to
>>>> EXTERNAL_NET"
>>>>
>>>> The exact error message
>>>>
>>>> ?? ????????,
>>>>
>>>> ???????? ?????
>>>> *????????? ???????????? ?.?.*
>>>> *Cisco Certified Network Associate*
>>>>
>>>> On Thu, Jan 19, 2017 at 1:43 AM, Paraskevas Lampadas <
>>>> parislampadas at ...11827...> wrote:
>>>>
>>>>> FATAL ERROR variable EXTERNAL_NET not set, or something like that.
>>>>>
>>>>> ?? ????????,
>>>>>
>>>>> ???????? ?????
>>>>> *????????? ???????????? ?.?.*
>>>>> *Cisco Certified Network Associate*
>>>>>
>>>>> On Wed, Jan 18, 2017 at 4:02 AM,  wrote:
>>>>>
>>>>>> On 01/17/2017 04:37 PM, Paraskevas Lampadas wrote:
>>>>>> > I tried to make as !$HOME NET, but then the snort fails to load at
>>>>>> startup.
>>>>>> > If i change it back to any everything works fine.
>>>>>> >
>>>>>> > How else can i avoid receiving alerts from my internal network?
>>>>>>
>>>>>> what is the exact error message given at startup when you set
>>>>>> EXTERNAL_NET to
>>>>>> !HOME_NET??
>>>>>>
>>>>>> --
>>>>>>   NOTE: No off-list assistance is given without prior approval.
>>>>>>         *Please keep mailing list traffic on the list* unless
>>>>>>         private contact is specifically requested and granted.
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>
>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>> Snort news!
>>>>>>
>>>>>
>>>>>
>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 128, Issue 41
********************************************





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170119/01f875c9/attachment.html>


More information about the Snort-users mailing list