I am unable to get a custom rule to work because it keeps complaining about my variable.
BELOW are my rules:
#Testing alert 1
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Incoming FTP connection allen"; flags:S; sid:10001;)
#Testing another alert 2
alert tcp 192.168.1.112 any -> $EXTERNAL_NET any (msg:"match all traffic"; sid:10002;)
BELOW is the variable defined in my snort.conf file:
# Setup the network addresses you are protecting
ipvar $HOME_NET 192.168.1.0/24
# Set up the external network addresses. Leave as "any" in most situations
ipvar $EXTERNAL_NET any
BELOW is the error I get when I try to check my rule. It doesn't understand my variables. Was I supposed to redefine my variable under myrules.rules?
root@kali:/proc/sys/net/ipv4# snort -c /etc/snort/rules/myrules.rules
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Parsing Rules file "/etc/snort/rules/myrules.rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort
Initializing rule chains...
ERROR: /etc/snort/rules/myrules.rules(2) Undefined variable in the string: $EXTERNAL_NET.
Fatal Error, Quitting..