Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: HOME_NET var on snort.conf

From: "pfeito" <pfeito () netcabo pt>
Date: Thu, 25 Mar 2004 23:32:48 -0000
Thanx! And sorry for the late response.

-S HOME_NET has worked just fine for me!


but $<iface>_ADDRESS works for me. Of course it doesn't work if you
specify wrong interface, or if the interface doesn't have an IP address
assigned to it.

It does not work for me.. I don’t know why! The interface has an IP
(assigned by DHCP) and its working fine. 

Anyway, I was able to work it out using -S option :) Thanx!

-pfeito


-----Original Message-----
From: Michael Boman [mailto:mboman () gentoo org]
Sent: terça-feira, 23 de Março de 2004 3:08
To: pfeito
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] HOME_NET var on snort.conf

On Sun, 2003-03-23 at 07:56, pfeito wrote:

Forget! It's not possible to remove $HOME_NET from snort.conf, it breaks

a

lot of things and snort refuses to start. Right know I really don't know

how

to deal with this problem...


from snort(8) manual page:
-S variable=value

Set  variable  name  "variable"  to  value "value".  This is useful for
setting the value of a defined variable name in a Snort rules file to a
command line specified value.  For instance, if you define a HOME_NET
variable name inside of a Snort rules file, you can set this value from
it's predefined value at the command line.

So:

snort -S HOME_NET=$MYIP <other options>

but $<iface>_ADDRESS works for me. Of course it doesn't work if you
specify wrong interface, or if the interface doesn't have an IP address
assigned to it.



-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-
admin () lists sourceforge net] On Behalf Of pfeito
Sent: segunda-feira, 22 de Março de 2004 20:52
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] HOME_NET var on snort.conf

That is weird, if it does not know what $<interface>_ADDRESS is, why

does

the default snort.conf provided in snort src 2.1.1 have the following
lines?

# You can specify it explicitly as:
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which
# you run snort at.

Why mention it if it doesnt exists?

Anyway I looked at snorts manual and it seems that I'll be able to

hack it

like this:
- Change /etc/init.d/snort
- Add this to the beginning of /etc/init.d/snort
  MYIP=`ifconfig eth2 | grep 'inet addr:' | cut -d ':' -f2 | cut -d '

' -

f1`
- Change the line that invokes snort

In my case from:
$SNORT_PATH/snort -c $CONFIG -i $IFACE -g $SNORT_GID $OPTIONS

To:
$SNORT_PATH/snort -c $CONFIG -i $IFACE -h $MYIP/32 -g $SNORT_GID

$OPTIONS


That seems to be working great. Of course the script must be invoked
everytime the IP changes, but its not so difficult to write or reuse a
perl
script (for instance) to dynamically stop/start snort if the IP

changes.




-----Original Message-----
From: neil [mailto:neil () bellsimons com]
Sent: segunda-feira, 22 de Março de 2004 13:05
To: pfeito
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] HOME_NET var on snort.conf

The variable does not exist within the file, your asking it to do
something it doesn't know how to do.

Your going to have to do some hacking to get the snort.conf to parse

the

ip address for you.

Maybe this will help you a little:

#!/usr/bin/perl
#Roxcor Tech / www.pheusion.com / IPparse.pl

$interface="eth0";
# path to ifconfig

$ifconfig="/sbin/ifconfig";

@lines=qx|$ifconfig $interface| or die("Can't get info from

ifconfig:

".$!);

        foreach(@lines){
        if(/inet addr:([\d.]+)/){
                print "$1\n";
        }
}


On Sun, 2004-03-21 at 21:00, pfeito wrote:

Hi!

 In snort.conf, I have HOME_NET var set like this:

var HOME_NET $eth1_ADDRESS

I start snort, but it does not start. In /var/log/messages I get

the

following information:

Mar 22 01:44:01 snortbox snort: FATAL ERROR: Undefined variable

name:

(/etc/snort/snort.conf:46): eth1_ADDRESS
Mar 22 01:44:01 snortbox kernel: device eth1 left promiscuous mode

I have to set the IP address of the box manually, but this IP

address

is

assigned by my ISP, so it would be much better if "var HOME_NET
$eth1_ADDRESS" method worked!

An excerpt from my snort.conf:

###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect your local

network.

The

# variable is currently setup for an RFC 1918 address space.
#
# You can specify it explicitly as:
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be

always

# initialized to IP address and netmask of the network interface

which

you

run
# snort at.  Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
# var HOME_NET any

#var HOME_NET $eth1_ADDRESS <----ERROR
var HOME_NET YYY.YYY.YYY.YYY/32 #obscured my current IP address

Im running snort 2.1.1 on Fedora Core 1.
What could be wrong? Any ideas ?

--
Michael Boman
Gentoo NetMon Team Lead | Developer, Hardened Gentoo Linux
http://www.gentoo.org   | http://dev.gentoo.org/~mboman





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: