snort troubles

I'm working on snort for the security lab that I have. I can run snort but I'm having trouble running the specific rules that are in the "rules" folder. I went through different manuals and I tried to configure the snort.conf file. I changed the EXTERNAL_NET any to EXTERNAL_NET "public address" in the snort.conf. The rules are still having trouble. I thought the rules used the snort.conf to know what traffic to look at. I thought I had defined the variable for the EXTERNAL_NET in the snort.conf.

For the second rule that I'm trying to use, I had set the HOME_NET variable in the snort.conf. When I first ran snort, it gave me the same issue.

I didn't make any changes to the rules.

Does anyone know whats going on?

root@ubuntu:/etc/snort# snort -c /etc/snort/rules/****.rules
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/rules/****.rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /etc/snort/rules/****.rules(24) Undefined variable in the string: $EXTERNAL_NET.
Fatal Error, Quitting..
root@ubuntu:/etc/snort#

root@ubuntu:/etc/snort# snort -c /etc/snort/rules/attack-responses.rules
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/rules/attack-responses.rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /etc/snort/rules/attack-responses.rules(26) Undefined variable in the string: $HOME_NET.
Fatal Error, Quitting..
root@ubuntu:/etc/snort#

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

docrice

The "-c" parameter should point to your snort.conf file, not a rules file. The $EXTERNAL_NET variable is typically set to any.

You can also run the "-T" parameter along with "-c" to test your Snort install config without having to daemonize it.

jamesleecoleman

Thanks for explaining it to me. So maybe I'm a little confused. Do I have to write the rules in the snort.conf file in order to send me alerts about certain traffic that the computer is getting? Or do I need to some how point the rule files in the snort.conf for monitoring?

When I ran snort it picked up alot of traffic, especially when I did an xmas scan against the box, using nmap. I would like to try to limit the traffic that snort is reporting in the log file.

docrice

Generally people use include statements in snort.conf which point to where the various rules files are such as /etc/snort/rules/foo.rules. Alerts are usually sent via another tool outside of Snort. Most people use Snort to process packets off the wire (decode, preprocess / normalize, evaluate them via the detection engine / rules), and then write alerts to logs via the output plugin, typically binary logs known as unified2. A separate application, usually barnyard2, then collects and writes those into a database. It used to be that Snort could also write directly to a DB, but that consumes processing power. Better to let barnyard2 do the heavy-lifting for DB writes and free up Snort to evaluate traffic.

Front-ends like Sguil, Snorby, or BASE is common for doing the day-to-day analysis work.

The "alert" statement in the rules simply mean that it will generate a notice event to a log, not email you. If you're not already familiar with it, you should read up on the fast-pattern matching detection method that Snort uses. The processing of pass, drop, and alert rules (among others) play a big factor as well as existing content pattern matches in the rules, the length of those matches, the existence of regex statements in the rules, etc., etc..

jamesleecoleman

Thanks again!!! I feel that what you wrote is way over my head though. I'll try to check out the include statements in snort.