Failed to parse the IP address
-
Hi,
When enabling Snort on WAN0 I get an error message "Failed to parse the IP address".
Where should I start looking?Thanks!
Time Process PID Message Jul 1 15:33:17 php /tmp/snort_vmx056797_startcmd.php: The command '/usr/local/bin/snort -R 56797 -D -l /var/log/snort/snort_vmx056797 --pid-path /var/run --nolock-pidfile -G 56797 -c /usr/local/etc/snort/snort_56797_vmx0/snort.conf -i vmx0' returned exit code '1', the output was '' Jul 1 15:33:17 snort 62263 FATAL ERROR: /usr/local/etc/snort/snort_56797_vmx0/snort.conf(5) Failed to parse the IP address: [8.8.4.4,8.8.8.8,10.0.56.0/24,10.10.10.1/32,10.44.0.0/21,10.44.16.0/24,10.130.22.0/23,10.130.23.1/24,10.130.122.12/32,10.242.2.0/24,93.94.106.22/32,93.94.106.23/32,93.94.106.24/32,127.0.0.1,172.16.0.1,172.16.0.100,172.16.0.110/32,172.16.0.120/32,172.16.0.130/32,172.16.0.131/32,172.16.0.140/32,172.17.0.0/24,172.17.0.200/32,172.18.0.0/24,172.19.0.0/24,172.20.24.0/24,172.21.0.0/24,172.31.254.0/24,172.31.255.0/24,172.31.255.100/32,172.31.255.110/32,172.31.255.130/32,172.31.255.140/128,192.168.0.0/24,192.168.0.1/24,192.168.5.0/24,192.168.20.0/24,192.168.30.0/24,192.168.40.0/24,192.168.50.0/24,192.168.91.0/24,192.168.100.0/24,192.168.200.0/24,::1,fe80::20c:29ff:fed6:b5a4,fe80::20c:29ff:fed6:b5ae,fe80::20c:29ff:fed6:b5b8,fe80::20c:29ff:fed6:b5c2,fe80::20c:29ff:fed6:b5cc,fe80::20c:29ff:fed6:b59a,fe80::20c:29ff:fed6:b586,fe80::20c:29ff:fed6:b590]. Jul 1 15:33:17 snort 62263 Parsing Rules file "/usr/local/etc/snort/snort_56797_vmx0/snort.conf"
-
We've been using Suricata not Snort, so I'm not that familiar with it, but from the message I'd guess that instead of "8.8.4.4,8.8.8.8,10.0.56.0/24,10.10.10.1/32,10.44.0.0/21,10.44.16.0/24,10.130.22.0/23,10.130.23.1/24,10.130.122.12/32,10.242.2.0/24,93.94.106.22/32,93.94.106.23/32,93.94.106.24/32,127.0.0.1,172.16.0.1,172.16.0.100,172.16.0.110/32,172.16.0.120/32,172.16.0.130/32,172.16.0.131/32,172.16.0.140/32,172.17.0.0/24,172.17.0.200/32,172.18.0.0/24,172.19.0.0/24,172.20.24.0/24,172.21.0.0/24,172.31.254.0/24,172.31.255.0/24,172.31.255.100/32,172.31.255.110/32,172.31.255.130/32,172.31.255.140/128,192.168.0.0/24,192.168.0.1/24,192.168.5.0/24,192.168.20.0/24,192.168.30.0/24,192.168.40.0/24,192.168.50.0/24,192.168.91.0/24,192.168.100.0/24,192.168.200.0/24,::1,fe80::20c:29ff:fed6:b5a4,fe80::20c:29ff:fed6:b5ae,fe80::20c:29ff:fed6:b5b8,fe80::20c:29ff:fed6:b5c2,fe80::20c:29ff:fed6:b5cc,fe80::20c:29ff:fed6:b59a,fe80::20c:29ff:fed6:b586,fe80::20c:29ff:fed6:b590" it is expecting one address not a bunch? Or perhaps semicolons instead of commas, or something like that?
-
Thanks for you reply!
I didn't enter that at all, it gets them from the Home Net part, where it says in the Snort config:Choose the Home Net you want this interface to use. Default Home Net adds only local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to hold a list of friendly IPs that the firewall cannot see or to customize the default Home Net.
So it should be able to receive a list, I didn't change the default "Home net" and when I select "View List" it shows:
8.8.4.4 8.8.8.8 10.10.10.1/32 81.82.192.1 81.82.194.131 127.0.0.1 192.168.0.0/24 192.168.5.0/24 192.168.20.0/24 192.168.20.222 192.168.30.0/24 192.168.100.0/24 192.168.200.0/24 192.168.200.1 ::1 fe80::20c:29ff:fee6:10a3 fe80::20c:29ff:fee6:10ad fe80::20c:29ff:fee6:10b7 fe80::20c:29ff:fee6:1099
I did not enable ipv6 so maybe it gets stuck on those or it's the ip/netmask notation?
I could try and create a list with just the ipv4 entries but I am little confused about what actually the problem is.On another note: why do you use Suricata?
Thx!
-
@cukal Using Suricata wasn't all that scientific...we had to start somewhere, Suricata is multi-threaded and Snort isn't, and there were packages for both so we tried one. As I vaguely recall Suricata was developed by OISF as something of a next gen Snort, and it's compatible with Snort rules. Search "snort vs suricata" and you will find a bunch on it.