snort EXTERNAL_NET variable not working

Experts,

I am unable to get a custom rule to work because it keeps complaining about my variable.

BELOW are my rules:

 cat /etc/snort/rules/myrules.rules
#Testing alert 1
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Incoming FTP connection allen"; flags:S; sid:10001;)
#
#Testing another alert 2
alert tcp 192.168.1.112 any -> $EXTERNAL_NET any (msg:"match all traffic"; sid:10002;)


BELOW is the variable defined in my snort.conf file:

# Setup the network addresses you are protecting
ipvar $HOME_NET 192.168.1.0/24

# Set up the external network addresses. Leave as "any" in most situations
ipvar $EXTERNAL_NET any



BELOW is the error I get when I try to check my rule.  It doesn't understand my variables. Was I supposed to redefine my variable under myrules.rules?



root@kali:/proc/sys/net/ipv4# snort -c /etc/snort/rules/myrules.rules
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/rules/myrules.rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /etc/snort/rules/myrules.rules(2) Undefined variable in the string: $EXTERNAL_NET.
Fatal Error, Quitting..
trojan81Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
-c is supposed to point to snort.conf not the rules :)
snort -c /etc/snort/snort.conf
or wherever your snort.conf is.
-rich
trojan81Author Commented:
Rich good looking out. I get the error to the $HOME_NET when i -C to the snort.conf


root@kali:/proc/sys/net/ipv4# snort -c /etc/snort/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
ERROR: /etc/snort/snort.conf(51) Failed to parse the IP address: $HOME_NET.



This is my variable:

# Setup the network addresses you are protecting
ipvar $HOME_NET 192.168.1.0/24



Does it not like the CIDR notation?
Rich RumbleSecurity SamuraiCommented:
I'm not sure why your's is using $ in the variables in the conf file, I'm not used to seeing them there... I think that's the issue.
ipvar $HOME_NET 192.168.1.0/24 <----Yours
ipvar HOME_NET 192.168.1.0/24 <---
Do all the varibles in Kali's Snort use $? For snort or suricata learning may I recommend the Security Onion instead of Kali. While Kali is a great tool, the onion is better for IDS proof of concepting :)
https://github.com/security-onion-solutions/security-onion
-rich

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
trojan81Author Commented:
That did it. Thank you rich.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.