I have suricata errors for HOME_NET

[bscameheorn]

I am getting rule failures in the suricata log when starting the service. It states that HOME_NET is not defined.

I have hnmanager set correctly. Here is the beginning of my /opt/so/saltstack/local/pillar/global.sls file:

  1 global:
  2   soversion: 2.3.200
  3   hnmanager: '10.0.0.0/8,192.168.0.0/16,172.16.0.0/12'
  4   dockernet: '172.17.0.0'
  5   mdengine: 'ZEEK'
  6   ids: 'Suricata'
  7   url_base: 'ctpso.sslighting.local'
  8   managerip: '10.100.20.42'
  9   airgap: False
 10   fleet_custom_hostname:
 11   fleet_manager: True
 12   fleet_node: False
 13   fleet_packages-timestamp: '2023-01-18-21:54'
 14   fleet_packages-version: 3
 15   fleet_hostname: 'ctpso'
 16   fleet_ip: '10.100.20.42'
 17   sensoronikey: 'h66y9TpXXBCxXXENF9BV'
 18   wazuh: 1
 19   imagerepo: 'security-onion-solutions'
 20   pipeline: 'redis'
 21 suricata:
 22   config:
 23     vars:
 24       address-groups:
 25       EXTERNAL_NET: "!$HOME_NET"

Here is the tail of my suricata.log:

448017 19/1/2023 -- 16:49:24 - - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "HOME_NET" is not defined in configuration file
448018 19/1/2023 -- 16:49:24 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [97.85.35.254,98.128.173.1,98.128.175.41,98.1 28.202.87,98.2.231.74,98.250.174.4,98.46.21.126,98.63.230.136,98.96.164.104,98.96.170.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit ) Node Traffic group 806"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype :misc-attack; flowbits:set,ET.TorIP; sid:2522805; rev:5054; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_sever ity Audit, created_at 2008_12_01, updated_at 2023_01_18;)" from file /etc/suricata/rules/all.rules at line 39802
448019 19/1/2023 -- 16:49:24 - - 1 rule files processed. 210 rules successfully loaded, 31993 rules failed
448020 19/1/2023 -- 16:49:24 - - Threshold config parsed: 0 rule(s) found
448021 19/1/2023 -- 16:49:24 - - 210 signatures processed. 0 are IP-only rules, 166 are inspecting packet payload, 44 inspect application layer, 0 are decod er event only
448022 19/1/2023 -- 16:49:24 - - Going to use 4 thread(s)
448023 19/1/2023 -- 16:49:24 - - Running in live mode, activating unix socket
448024 19/1/2023 -- 16:49:24 - - Using unix socket file '/var/run/suricata/suricata-command.socket'
448025 19/1/2023 -- 16:49:24 - - all 4 packet processing threads, 4 management threads initialized, engine started.
448026 19/1/2023 -- 16:49:24 - - Using BPF 'not port 514' on iface 'bond0'
448027 19/1/2023 -- 16:49:24 - - Using BPF 'not port 514' on iface 'bond0'
448028 19/1/2023 -- 16:49:24 - - Using BPF 'not port 514' on iface 'bond0'
448029 19/1/2023 -- 16:49:24 - - Using BPF 'not port 514' on iface 'bond0'
448030 19/1/2023 -- 16:49:24 - - All AFP capture threads are running.

Any ideas what the issue may be? I am running a standalone bare metal.

Thank you,

Brian

[bscameheorn]

I added HOME_NET to the variables and this is resolved.

 suricata:
   config:
      vars:
        address-groups:
          HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

[eb-op]

Great to hear! I would like to make note, though, that on line 25 of your global.sls file you are missing two spaces.