LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   snort problem (https://www.linuxquestions.org/questions/linux-newbie-8/snort-problem-835564/)

Greesh 10-01-2010 02:15 AM
snort problem
 
Hi,

I am using snort and i have some problems with it.

1) If i give command for NIDS mode snort -c /etc/snort/snort.conf -A console -i eth1

it is showing error like this

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1521 ]
PortVar 'FTP_PORTS' defined : [ 21 ]
ERROR: Unable to open rules file "/etc/snort//etc/snort/rules/local.rules": No such file or directory.

what is this error ..

2) log file is in readable format . should i use some log analyzer for this or is there any command in snort?

please help me for this

Thanks
Greesh

sem007 10-01-2010 02:59 AM
Did you install snort rules ?

Regards

Greesh 10-02-2010 01:02 AM
I am having snort.conf file in /etc/snort directory .Do i need to update that?? For that what shall i do??

sem007 10-02-2010 01:06 AM
Quote:
Originally Posted by Greesh (Post 4115401)
I am having snort.conf file in /etc/snort directory .Do i need to update that?? For that what shall i do??
After installing snort you have to install rules.
you can download from rules from snort website download snortrules-snapshot and install it.

Also refer document it describe how to install snort and rules.

http://www.snort.org/docs/setup-guides/

Regards,

Greesh 10-02-2010 02:13 AM
Thank You...

Greesh 10-03-2010 02:45 AM
Hi..

I downloaded new rules and copied to /etc/snort/rules

and now i tried to run snort in alert mode , it is showing an error like this
ERROR: /etc/snort/snort.conf(616) Unknown preprocessor: "dcerpc2".
Fatal Error, Quitting..

i checked snort.conf , in that it is given like

preprocessor dcerpc2

i dont understand the error. What i suppose to write there??

can u please help...

Thanks
Greesh

Noway2 10-03-2010 06:20 AM
It appears that there is or was a known bug with snort and fedora on this issue. See the following link

Greesh 10-03-2010 12:36 PM
hi ..
Actually i am new to it..
For fixing that they have given like i have to edit snort.spec
But i couldn't find snort.spec anywhere ..
can u help 4 this??

unSpawn 10-03-2010 01:18 PM
The snort.spec is part of the source package: snort-2.8.5.1-1.fc11.src.rpm if you use Fedora 11 or snort-2.8.5.1-1.fc13.src.rpm if you use Fedora 13. Note you'll have to rebuild this package as unprivileged user to fix this unless you're willing to wait for the updated one to appear in the default Fedora repos.

Greesh 10-03-2010 09:54 PM
snort
 
I am using fedora 12. So is this the package , i have to rebuild
snort-2.8.5.1-1.fc12.src.rpm

Greesh 10-04-2010 01:19 AM
I tried to rebuild this rpm with user privilage..but its showing a warning

warning: user mockbuild does not exist - using root

So what shall i do?? is it necessary to compile this with user privilage?

unSpawn 10-04-2010 10:57 AM
Quote:
Originally Posted by Greesh (Post 4116906)
warning: user mockbuild does not exist - using root
You can ignore this message (of the informational level). The package should build just fine.


All times are GMT -5. The time now is 06:11 AM.