Failed to parse the IP address

  • Hi,

    When enabling Snort on WAN0 I get an error message "Failed to parse the IP address".
    Where should I start looking?


    Time	Process	PID	Message
    Jul 1 15:33:17	php		/tmp/snort_vmx056797_startcmd.php: The command '/usr/local/bin/snort -R 56797 -D -l /var/log/snort/snort_vmx056797 --pid-path /var/run --nolock-pidfile -G 56797 -c /usr/local/etc/snort/snort_56797_vmx0/snort.conf -i vmx0' returned exit code '1', the output was ''
    Jul 1 15:33:17	snort	62263	FATAL ERROR: /usr/local/etc/snort/snort_56797_vmx0/snort.conf(5) Failed to parse the IP address: [,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,::1,fe80::20c:29ff:fed6:b5a4,fe80::20c:29ff:fed6:b5ae,fe80::20c:29ff:fed6:b5b8,fe80::20c:29ff:fed6:b5c2,fe80::20c:29ff:fed6:b5cc,fe80::20c:29ff:fed6:b59a,fe80::20c:29ff:fed6:b586,fe80::20c:29ff:fed6:b590].
    Jul 1 15:33:17	snort	62263	Parsing Rules file "/usr/local/etc/snort/snort_56797_vmx0/snort.conf"

  • We've been using Suricata not Snort, so I'm not that familiar with it, but from the message I'd guess that instead of ",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,::1,fe80::20c:29ff:fed6:b5a4,fe80::20c:29ff:fed6:b5ae,fe80::20c:29ff:fed6:b5b8,fe80::20c:29ff:fed6:b5c2,fe80::20c:29ff:fed6:b5cc,fe80::20c:29ff:fed6:b59a,fe80::20c:29ff:fed6:b586,fe80::20c:29ff:fed6:b590" it is expecting one address not a bunch? Or perhaps semicolons instead of commas, or something like that?

  • Thanks for you reply!
    I didn't enter that at all, it gets them from the Home Net part, where it says in the Snort config:

    Choose the Home Net you want this interface to use.
    Default Home Net adds only local networks, WAN IPs, Gateways, VPNs and VIPs.
    Create an Alias to hold a list of friendly IPs that the firewall cannot see or to customize the default Home Net.

    So it should be able to receive a list, I didn't change the default "Home net" and when I select "View List" it shows:

    I did not enable ipv6 so maybe it gets stuck on those or it's the ip/netmask notation?
    I could try and create a list with just the ipv4 entries but I am little confused about what actually the problem is.

    On another note: why do you use Suricata?


  • @cukal Using Suricata wasn't all that scientific...we had to start somewhere, Suricata is multi-threaded and Snort isn't, and there were packages for both so we tried one. As I vaguely recall Suricata was developed by OISF as something of a next gen Snort, and it's compatible with Snort rules. Search "snort vs suricata" and you will find a bunch on it.

Log in to reply