Greetings and thanks for reaching out to us.
These errors you are getting from your rules are not actually a rule syntax problem. This is a problem with variable definitions for HOME_NET, DNS_SERVERS and SMTP_SERVERS in your snort.lua and/or snort_defaults.lua configuration files for snort3.
By default, snort 3 uses the configuration file /usr/local/etc/snort/snort.lua to define a whole host of configuration settings. One of those settings is the HOME_NET variable:
Notice how it is set to 'any' and that most of the errors are variations of hey, this variable cannot be set to !any.? Its because the value any cannot be negated. Snort can’t make sense of that.
Compare that to the default HOME_NET value for Suricata:
By default, we’re assuming that users have defined their HOME_NET variable to best suit the IP address range(s) of the network(s) they’re trying to protect. But even if they don’t, the HOME_NET variable defaults to the RFC1918 (Private network) IP address ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
So the bottom line in all of this is that if you’d like to fix these errors, you need to change the value of HOME_NET in your snort.lua file. If you don’t know what the value of your HOME_NET variable should be, you can just set it to the RFC1918 networks by changing the HOME_NET line to this:
Now, you’re probably wondering: Does this fix the errors I’m getting for $SMTP_SERVERS and $DNS_SERVERS as well?
Yes, because those variables are defined in the snort_defaults.lua and they just inherit the value of HOME_NET:
If you have custom DNS, SMTP, etc server IP addresses that are NOT in the scope of your HOME_NET, you’ll need to manually modify this file to suit your needs. But otherwise, if all you want is for these rules to pass validation, then their default value of HOME_NET should be fine.
Try out the changes I’ve recommended and let me know if you continue to have problems.
Thanks again,
-Tony R.
