Failed to parse the IP address

cukal

Hi,

When enabling Snort on WAN0 I get an error message "Failed to parse the IP address".
Where should I start looking?

Thanks!

Time	Process	PID	Message
Jul 1 15:33:17	php		/tmp/snort_vmx056797_startcmd.php: The command '/usr/local/bin/snort -R 56797 -D -l /var/log/snort/snort_vmx056797 --pid-path /var/run --nolock-pidfile -G 56797 -c /usr/local/etc/snort/snort_56797_vmx0/snort.conf -i vmx0' returned exit code '1', the output was ''
Jul 1 15:33:17	snort	62263	FATAL ERROR: /usr/local/etc/snort/snort_56797_vmx0/snort.conf(5) Failed to parse the IP address: [8.8.4.4,8.8.8.8,10.0.56.0/24,10.10.10.1/32,10.44.0.0/21,10.44.16.0/24,10.130.22.0/23,10.130.23.1/24,10.130.122.12/32,10.242.2.0/24,93.94.106.22/32,93.94.106.23/32,93.94.106.24/32,127.0.0.1,172.16.0.1,172.16.0.100,172.16.0.110/32,172.16.0.120/32,172.16.0.130/32,172.16.0.131/32,172.16.0.140/32,172.17.0.0/24,172.17.0.200/32,172.18.0.0/24,172.19.0.0/24,172.20.24.0/24,172.21.0.0/24,172.31.254.0/24,172.31.255.0/24,172.31.255.100/32,172.31.255.110/32,172.31.255.130/32,172.31.255.140/128,192.168.0.0/24,192.168.0.1/24,192.168.5.0/24,192.168.20.0/24,192.168.30.0/24,192.168.40.0/24,192.168.50.0/24,192.168.91.0/24,192.168.100.0/24,192.168.200.0/24,::1,fe80::20c:29ff:fed6:b5a4,fe80::20c:29ff:fed6:b5ae,fe80::20c:29ff:fed6:b5b8,fe80::20c:29ff:fed6:b5c2,fe80::20c:29ff:fed6:b5cc,fe80::20c:29ff:fed6:b59a,fe80::20c:29ff:fed6:b586,fe80::20c:29ff:fed6:b590].
Jul 1 15:33:17	snort	62263	Parsing Rules file "/usr/local/etc/snort/snort_56797_vmx0/snort.conf"

SteveITS

We've been using Suricata not Snort, so I'm not that familiar with it, but from the message I'd guess that instead of "8.8.4.4,8.8.8.8,10.0.56.0/24,10.10.10.1/32,10.44.0.0/21,10.44.16.0/24,10.130.22.0/23,10.130.23.1/24,10.130.122.12/32,10.242.2.0/24,93.94.106.22/32,93.94.106.23/32,93.94.106.24/32,127.0.0.1,172.16.0.1,172.16.0.100,172.16.0.110/32,172.16.0.120/32,172.16.0.130/32,172.16.0.131/32,172.16.0.140/32,172.17.0.0/24,172.17.0.200/32,172.18.0.0/24,172.19.0.0/24,172.20.24.0/24,172.21.0.0/24,172.31.254.0/24,172.31.255.0/24,172.31.255.100/32,172.31.255.110/32,172.31.255.130/32,172.31.255.140/128,192.168.0.0/24,192.168.0.1/24,192.168.5.0/24,192.168.20.0/24,192.168.30.0/24,192.168.40.0/24,192.168.50.0/24,192.168.91.0/24,192.168.100.0/24,192.168.200.0/24,::1,fe80::20c:29ff:fed6:b5a4,fe80::20c:29ff:fed6:b5ae,fe80::20c:29ff:fed6:b5b8,fe80::20c:29ff:fed6:b5c2,fe80::20c:29ff:fed6:b5cc,fe80::20c:29ff:fed6:b59a,fe80::20c:29ff:fed6:b586,fe80::20c:29ff:fed6:b590" it is expecting one address not a bunch? Or perhaps semicolons instead of commas, or something like that?

cukal

Thanks for you reply!
I didn't enter that at all, it gets them from the Home Net part, where it says in the Snort config:

Choose the Home Net you want this interface to use.
Default Home Net adds only local networks, WAN IPs, Gateways, VPNs and VIPs.
Create an Alias to hold a list of friendly IPs that the firewall cannot see or to customize the default Home Net.

So it should be able to receive a list, I didn't change the default "Home net" and when I select "View List" it shows:

8.8.4.4
8.8.8.8
10.10.10.1/32
81.82.192.1
81.82.194.131
127.0.0.1
192.168.0.0/24
192.168.5.0/24
192.168.20.0/24
192.168.20.222
192.168.30.0/24
192.168.100.0/24
192.168.200.0/24
192.168.200.1
::1
fe80::20c:29ff:fee6:10a3
fe80::20c:29ff:fee6:10ad
fe80::20c:29ff:fee6:10b7
fe80::20c:29ff:fee6:1099

I did not enable ipv6 so maybe it gets stuck on those or it's the ip/netmask notation?
I could try and create a list with just the ipv4 entries but I am little confused about what actually the problem is.

On another note: why do you use Suricata?

Thx!

SteveITS

@cukal Using Suricata wasn't all that scientific...we had to start somewhere, Suricata is multi-threaded and Snort isn't, and there were packages for both so we tried one. As I vaguely recall Suricata was developed by OISF as something of a next gen Snort, and it's compatible with Snort rules. Search "snort vs suricata" and you will find a bunch on it.