Results 1 to 10 of 10

Thread: another quick snort question

  1. #1

    another quick snort question

    I just scarapped my previous version of snort for 2.0. I should have stayed with the other.

    Win XP home is my OS

    Ok, in my event viewer I'm getting this message repeatedly:

    The description for Event ID ( 1 ) in Source ( SnortService ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Undefined variable name: (C:\Documents and Settings\MyAccountDesktop\Snort\etc\snort.conf:24): HOME_NET
    .

    When I run attempt to test snort from teh IDS center console I get this message.

    ERROR: Undefined variable name: (C:\Documents and Settings\MyAccount\Desktop\Snort\etc\snort.conf:24): HOME_NET
    fatal Error, Quitting..

    This is confusinng the **** out of me, any help would be greatly appreciated.

    edit, incase it helps any, the 24th line is read as the following

    var DNS_SERVERS $HOME_NET

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Yes but what is HOME_NET defined as (it's a variable you set according to what your home network is)? It's probably pulling up the error on Line 24 because that's the first time it runs into the variable.

    e.g.
    var HOME_NET 192.168.0.0/16
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Have you actually defined $HOME_NET in your snort config? You have to do that or you cannot refer to it as a variable. If you have then make sure you have stuck to the syntax correctly 'cos it can be a bit complicated if you define more that one host or net. If memory serves it should look like this for a single subnet:-

    var HOME_NET 192.168.1.0/24

    or like this for multiple nets:-

    var HOME_NET [192.168.3.0/24,192.168.4.0/24]

    NOTE: there are no spaces either side of the comma

    To delineate a single machine it would be:

    var HOME_NET 192.168.3.1/30

    or multiple machines would be:-

    var HOME_NET [192.168.3.1/30,192.168.3.2/30]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Thank you all.

    Another very quick question, if I'm behind a "router" thats using NAT would I be able to go into promiscuous mode to sniff all the traffic on my home network? Or would the "router" actually be a switch, meaning that each of the 4 ethernet ports is a switched connection to the outside?

    Its a Netgear MR314, I cant really find much documentation, and Netgears site is painfully slow today.

    I guess I get a crash course in psuedo coding today. It appears that in the rules file I have to define HOME_NET as well. Just so I dont screw anything up in the rules files I am guessing that I would define home net as this.

    Original rule

    alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content: "User-Agent\:ICQ"; classtype:misc-activity; sid:541; rev:6

    My guess at defining my home net

    alert tcp $192.168.0.2/32 any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content: "User-Agent\:ICQ"; classtype:misc-activity; sid:541; rev:6

    Am I correct?

  5. #5
    Senior Member
    Join Date
    Feb 2003
    Posts
    109

    Arrow RE: Switch sniffen'

    Jonesy,
    Your rule looks great for capping all traffic on your LAN, however you have one obstacle. If you are behind a 'router' which in your case appears to be of the 4-port switched SOHO variety, your IDS wont be able to cap the packets on the wire except for those addressed specifically to the IDS's host machine. In order to sniff all packets, you either need to plug your IDS into the mirror port of the router, if there is one and your IDS is deditcated, or:

    1. go here and do some research http://chocobospore.org/projects/arpspoof/arpspoof.pdf

    2. Download an ARP Spoofing package like arpspoof(part of Dsniff)- http://www.monkey.org/~dugsong/dsniff/

    3. Install it/Compile it/Whatever and point it to spoof between all hosts on the lan. You may have to spawn multiple instances to spoof multiple hosts. Try running a sniffer like ethereal or ettercap and try web browsing on the other hosts to see if the IDS comp picks it up. If it works, all data should be forwarded through your IDS comp. Any questions? email me.

  6. #6
    Thank you, on to the next friggin hurtle. GRRrrrrr!!

    Now when I go to test it, it says:

    Error: Unable to open rules file: classification.config or ./classification.config
    Fatal Error, Quitting..

    What does that crap mean? I have it loaded, its in the directory /snort/rules so why isnt it working?

  7. #7
    Junior Member
    Join Date
    Apr 2003
    Posts
    24
    Jonesy69:

    Have you considered running Snort on a machine that doesn't have a stack bound to its network interface card? This would be a GREAT way of 'hiding' your IDS box, and also preventing it from overt attacks.

    You can do this in the *nix world, but I'm not sure if you can in Windows. Anyone know for sure, one way or the other?

    -C

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Soda: Yes you can under Win2k and XP. I have one outside my firewall like that.

    Under network connections just uncheck all the services there, (TCP/IP, Windows Client, File and Printer sharing and anything else you have there), and the card will go silent. Snort will then fire it up in promiscuous mode and it remains quiet.

    I'd still secure and patch the heck out of it though..... Can't be too careful...<s>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    THank you all for the replies and answers. IF anything I would like to get it up and running and leave it at that untill I decide to upgrade it. Its more of me jumping a hurtle and teaching myself new things, while its less about me wanting an ultra secure box and home lan. I figure the way I have it configured right now, I have the box I have snort on as my DMZ box. I just want something to look at really. I plan on getting a box running some flavor of *nix, just to teach myself. But, that comes with money my friends, something I run short on at the moment.

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Jonesy: If your box is in the demil zone you need to make sure that you do what I said in my previous post. If you don't that box is wide open since your firewall will not filter any packets to it.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •