snort troubles

jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
I'm working on snort for the security lab that I have. I can run snort but I'm having trouble running the specific rules that are in the "rules" folder. I went through different manuals and I tried to configure the snort.conf file. I changed the EXTERNAL_NET any to EXTERNAL_NET "public address" in the snort.conf. The rules are still having trouble. I thought the rules used the snort.conf to know what traffic to look at. I thought I had defined the variable for the EXTERNAL_NET in the snort.conf.

For the second rule that I'm trying to use, I had set the HOME_NET variable in the snort.conf. When I first ran snort, it gave me the same issue.

I didn't make any changes to the rules.

Does anyone know whats going on?

root@ubuntu:/etc/snort# snort -c /etc/snort/rules/****.rules
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/rules/****.rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /etc/snort/rules/****.rules(24) Undefined variable in the string: $EXTERNAL_NET.
Fatal Error, Quitting..
root@ubuntu:/etc/snort#







root@ubuntu:/etc/snort# snort -c /etc/snort/rules/attack-responses.rules
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/rules/attack-responses.rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /etc/snort/rules/attack-responses.rules(26) Undefined variable in the string: $HOME_NET.
Fatal Error, Quitting..
root@ubuntu:/etc/snort#
Booya!!
WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
*****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****

Comments

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    The "-c" parameter should point to your snort.conf file, not a rules file. The $EXTERNAL_NET variable is typically set to any.

    You can also run the "-T" parameter along with "-c" to test your Snort install config without having to daemonize it.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
    Thanks for explaining it to me. So maybe I'm a little confused. Do I have to write the rules in the snort.conf file in order to send me alerts about certain traffic that the computer is getting? Or do I need to some how point the rule files in the snort.conf for monitoring?

    When I ran snort it picked up alot of traffic, especially when I did an xmas scan against the box, using nmap. I would like to try to limit the traffic that snort is reporting in the log file.
    Booya!!
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Generally people use include statements in snort.conf which point to where the various rules files are such as /etc/snort/rules/foo.rules. Alerts are usually sent via another tool outside of Snort. Most people use Snort to process packets off the wire (decode, preprocess / normalize, evaluate them via the detection engine / rules), and then write alerts to logs via the output plugin, typically binary logs known as unified2. A separate application, usually barnyard2, then collects and writes those into a database. It used to be that Snort could also write directly to a DB, but that consumes processing power. Better to let barnyard2 do the heavy-lifting for DB writes and free up Snort to evaluate traffic.

    Front-ends like Sguil, Snorby, or BASE is common for doing the day-to-day analysis work.

    The "alert" statement in the rules simply mean that it will generate a notice event to a log, not email you. If you're not already familiar with it, you should read up on the fast-pattern matching detection method that Snort uses. The processing of pass, drop, and alert rules (among others) play a big factor as well as existing content pattern matches in the rules, the length of those matches, the existence of regex statements in the rules, etc., etc..
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
    Thanks again!!! I feel that what you wrote is way over my head though. I'll try to check out the include statements in snort.
    Booya!!
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
Sign In or Register to comment.