trojan81
asked on
snort EXTERNAL_NET variable not working
Experts,
I am unable to get a custom rule to work because it keeps complaining about my variable.
BELOW are my rules:
cat /etc/snort/rules/myrules.r ules
#Testing alert 1
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Incoming FTP connection allen"; flags:S; sid:10001;)
#
#Testing another alert 2
alert tcp 192.168.1.112 any -> $EXTERNAL_NET any (msg:"match all traffic"; sid:10002;)
BELOW is the variable defined in my snort.conf file:
# Setup the network addresses you are protecting
ipvar $HOME_NET 192.168.1.0/24
# Set up the external network addresses. Leave as "any" in most situations
ipvar $EXTERNAL_NET any
BELOW is the error I get when I try to check my rule. It doesn't understand my variables. Was I supposed to redefine my variable under myrules.rules?
root@kali:/proc/sys/net/ip v4# snort -c /etc/snort/rules/myrules.r ules
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/rules/myrules. rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort
++++++++++++++++++++++++++ ++++++++++ ++++++++++ +++++
Initializing rule chains...
ERROR: /etc/snort/rules/myrules.r ules(2) Undefined variable in the string: $EXTERNAL_NET.
Fatal Error, Quitting..
I am unable to get a custom rule to work because it keeps complaining about my variable.
BELOW are my rules:
cat /etc/snort/rules/myrules.r
#Testing alert 1
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Incoming FTP connection allen"; flags:S; sid:10001;)
#
#Testing another alert 2
alert tcp 192.168.1.112 any -> $EXTERNAL_NET any (msg:"match all traffic"; sid:10002;)
BELOW is the variable defined in my snort.conf file:
# Setup the network addresses you are protecting
ipvar $HOME_NET 192.168.1.0/24
# Set up the external network addresses. Leave as "any" in most situations
ipvar $EXTERNAL_NET any
BELOW is the error I get when I try to check my rule. It doesn't understand my variables. Was I supposed to redefine my variable under myrules.rules?
root@kali:/proc/sys/net/ip
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/rules/myrules.
Tagged Packet Limit: 256
Log directory = /var/log/snort
++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /etc/snort/rules/myrules.r
Fatal Error, Quitting..
ASKER
Rich good looking out. I get the error to the $HOME_NET when i -C to the snort.conf
root@kali:/proc/sys/net/ip v4# snort -c /etc/snort/snort.conf
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
ERROR: /etc/snort/snort.conf(51) Failed to parse the IP address: $HOME_NET.
This is my variable:
# Setup the network addresses you are protecting
ipvar $HOME_NET 192.168.1.0/24
Does it not like the CIDR notation?
root@kali:/proc/sys/net/ip
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
ERROR: /etc/snort/snort.conf(51) Failed to parse the IP address: $HOME_NET.
This is my variable:
# Setup the network addresses you are protecting
ipvar $HOME_NET 192.168.1.0/24
Does it not like the CIDR notation?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That did it. Thank you rich.
snort -c /etc/snort/snort.conf
or wherever your snort.conf is.
-rich