LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-01-2010, 03:15 AM   #1
Greesh
LQ Newbie
 
Registered: Sep 2010
Posts: 10

Rep: Reputation: 1
snort problem


Hi,

I am using snort and i have some problems with it.

1) If i give command for NIDS mode snort -c /etc/snort/snort.conf -A console -i eth1

it is showing error like this

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1521 ]
PortVar 'FTP_PORTS' defined : [ 21 ]
ERROR: Unable to open rules file "/etc/snort//etc/snort/rules/local.rules": No such file or directory.

what is this error ..

2) log file is in readable format . should i use some log analyzer for this or is there any command in snort?

please help me for this

Thanks
Greesh
 
Old 10-01-2010, 03:59 AM   #2
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Did you install snort rules ?

Regards
 
Old 10-02-2010, 02:02 AM   #3
Greesh
LQ Newbie
 
Registered: Sep 2010
Posts: 10

Original Poster
Rep: Reputation: 1
I am having snort.conf file in /etc/snort directory .Do i need to update that?? For that what shall i do??
 
Old 10-02-2010, 02:06 AM   #4
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Quote:
Originally Posted by Greesh View Post
I am having snort.conf file in /etc/snort directory .Do i need to update that?? For that what shall i do??
After installing snort you have to install rules.
you can download from rules from snort website download snortrules-snapshot and install it.

Also refer document it describe how to install snort and rules.

http://www.snort.org/docs/setup-guides/

Regards,

Last edited by sem007; 10-02-2010 at 02:07 AM. Reason: typo
 
1 members found this post helpful.
Old 10-02-2010, 03:13 AM   #5
Greesh
LQ Newbie
 
Registered: Sep 2010
Posts: 10

Original Poster
Rep: Reputation: 1
Thank You...
 
Old 10-03-2010, 03:45 AM   #6
Greesh
LQ Newbie
 
Registered: Sep 2010
Posts: 10

Original Poster
Rep: Reputation: 1
Hi..

I downloaded new rules and copied to /etc/snort/rules

and now i tried to run snort in alert mode , it is showing an error like this
ERROR: /etc/snort/snort.conf(616) Unknown preprocessor: "dcerpc2".
Fatal Error, Quitting..

i checked snort.conf , in that it is given like

preprocessor dcerpc2

i dont understand the error. What i suppose to write there??

can u please help...

Thanks
Greesh
 
Old 10-03-2010, 07:20 AM   #7
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778
It appears that there is or was a known bug with snort and fedora on this issue. See the following link
 
Old 10-03-2010, 01:36 PM   #8
Greesh
LQ Newbie
 
Registered: Sep 2010
Posts: 10

Original Poster
Rep: Reputation: 1
hi ..
Actually i am new to it..
For fixing that they have given like i have to edit snort.spec
But i couldn't find snort.spec anywhere ..
can u help 4 this??
 
Old 10-03-2010, 02:18 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
The snort.spec is part of the source package: snort-2.8.5.1-1.fc11.src.rpm if you use Fedora 11 or snort-2.8.5.1-1.fc13.src.rpm if you use Fedora 13. Note you'll have to rebuild this package as unprivileged user to fix this unless you're willing to wait for the updated one to appear in the default Fedora repos.
 
Old 10-03-2010, 10:54 PM   #10
Greesh
LQ Newbie
 
Registered: Sep 2010
Posts: 10

Original Poster
Rep: Reputation: 1
snort

I am using fedora 12. So is this the package , i have to rebuild
snort-2.8.5.1-1.fc12.src.rpm
 
Old 10-04-2010, 02:19 AM   #11
Greesh
LQ Newbie
 
Registered: Sep 2010
Posts: 10

Original Poster
Rep: Reputation: 1
I tried to rebuild this rpm with user privilage..but its showing a warning

warning: user mockbuild does not exist - using root

So what shall i do?? is it necessary to compile this with user privilage?
 
Old 10-04-2010, 11:57 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by Greesh View Post
warning: user mockbuild does not exist - using root
You can ignore this message (of the informational level). The package should build just fine.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
1-snort Vs ntop-- 2- snort perfstat.exec PoleStar Linux - Newbie 1 09-06-2010 02:52 PM
[HELP]SNORT PROBLEMS(IDS)-service snort start JayCool Linux - Software 5 03-15-2009 01:34 PM
problem with snort 2.8 wajdislama Linux - Software 2 08-29-2008 03:22 AM
Snort - no portscan and tcp alerts in snort av.dubey Linux - Software 6 07-11-2008 10:56 PM
Snort problem MartyMcFly Linux - Software 3 04-18-2007 11:38 AM


All times are GMT -5. The time now is 01:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration