-
help with snort
i just got myself a copy of snort 2.0.1 with winpcap 3 and IDScenter 1.1 RC4.
i have never used snort before, i have gone through the program and setup everything that i can see but yet when i try to run snort the console windows comes up with
ERROR: No netmask specified for home network!
Fatal Error, Quitting..
I`ve looked through all the settings and i can not find anything that would account for this error.
I`m running WinNT4 SP6a in case it makes a diffence?
I`d be gratefull for any assistance with this cause i am completely lost!
mark
-
Could you put up the section of your snort config file that covers the variables such as $HOME_NET etc? It shoulds like one of them is missing a value. :)
-
i hope this is what you meant.
###################################################
# Step #1: Set the network variables:
# You must change the following variables to reflect
# your local network. The variable is currently
# setup for an RFC 1918 address space.
###################################################
var EXTERNAL_NET 82.33.40.181
var HOME_NET 192.168.1.1
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH ../rules
I`ve used IDScenter to set it up, i dunno if that will afect it?
mark
-
var EXTERNAL_NET 82.33.40.181
var HOME_NET 192.168.1.1
should be
var EXTERNAL_NET 82.33.40.181/8 (assuming the netmask is 255.0.0.0)
var HOME_NET 192.168.1.1/24 (assuming the netmask is 255.255.255.0)
And do you just want traffic on your internal network from one machine (i.e., 192.168.1.1) or the network (e.g., 192.168.1.0)
-
i have just tried changing it to that but still no luck i`m afraid. it still comes up with the same error.
Perhaps if i give a bit more detail it might help.
The computer with snort on has one network card which is connected to a broadband modem, my internet ip address is 82.33.40.181, the second network card then connects to my private network, the private network ip address for that computer is 192.168.1.1 then the other computers connected go on from that, 192.168.1.2, etc...
i want to monitor all the connections coming in off of the internet.
hope that helps.
mark
-
Then this should be var HOME_NET 192.168.1.0/24
-
cheers but still no luck i`m afraid. changed it to what you said but still got the exact same message.
mark
-
Hrmmm...
You don't have two snort.conf files by any chance?
-
thanks for the help, i`ve managed to get it past that error,i think it was because IDScenter was not issueing the command properly.
it was issuing
C:\Snort\bin\snort.exe -c "C:\Snort\etc\snort.conf" -l "C:\snortlog" -h 192.168.1.1
so i changed it and put this into the command line
C:\Snort\bin\snort.exe -c "C:\Snort\etc\snort.conf" -l "C:\snortlog" -h 192.168.1.0/24
it seemed to work but then i get this diffrent error
ERROR: Unable to open rules file: classification.config or ./classification.config
Fatal Error, Quitting..
i`ve checked and the file is their and seems to be ok???
i`m hoping that you may have a reason for this error as well.
mark
-
Usually means the config file can't find the rules. For that portion (at the bottom of the config file IIRC) I usually put in the absolute path to the rules location. e.g., include /path/to/rules/sql.rules
-
ah that seems to be working now.
thanks a lot for all the help, i think i`d given up on it by now if you hadn`t of been their to help.
cheers
mark
-
-
Its not actaully complaining about the rules file ..yet
It cant find the classification.config file, so where exactly is your classification.config?
If you put it in bin this will probably fix that problem, you might have to stick the sid-msg.map and the gen-msg.map and reference.config file in there too.
If I were you Id actually scrap your whole current setup and get Demarc PureSecure personal edition. Its free, the management console blows IDSCenter away and if you follow the setup instructions correctly as you install everything will be setup perfectly.
It does require that you can runn IIS on your machine though.
oops..guess im to slow...
time for a 2nd cup of coffee
-
i got it working now thanks to MsMittens, i think it was throwing up that error msg because the snort.conf file had two diffrent refrences to the classification.config file, i just edited the one out and its seems to be running ok now.
I`ll have a look at that Demarc PureSecure program though.
mark
