Cannot get snort to start
I cannot get snort to start. I'm following the doc written by Patrick Harper. I have the following line in rc.local
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g snort -D Snort won't start on reboot. I've tried it from CL too and it won't start. I put an init script that I found in a book with the following: SNORT_PATH=/usr/local/bin CONFIG=/etc/snort/snort.conf IFACE=eth1 SNORT_GID=snort OPTIONS="-D -u snort" and snort won't start on reboot. I've tried this as a test that I found in a book: # /usr/local/bin/snort -T -u snort -c /etc/snort/snort.conf And that seemed to work, it said snort successfully loaded all rules and checked all rule chains, but then it exits. Does anyone have any ideas? |
What does it say when you do
Code:
# /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g snort |
Running in IDS mode
Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- Frag3 global config: Max frags: 65536 Fragment memory cap: 4194304 bytes Frag3 engine config: Target-based policy: FIRST Fragment timeout: 60 seconds Fragment min_ttl: 1 Fragment ttl_limit: 5 Fragment Problems: 1 Bound Addresses: 0.0.0.0/0.0.0.0 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Server Data Inspection Limit: -1 WARNING /etc/snort/snort.conf(372) => flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 X-Link2State Config: Ports: 25 691 ERROR: Unable to open rules file: /etc/snort/rules/local.rules or /etc/snort//etc/snort/rules/local.rules Fatal Error, Quitting.. |
I figured it out. I didn't have the rules from the rules directory. I missed that part, but before that I had already downloaded rules from snort and extracted a bunch of text files that I had copied into the /etc/snort/rules directory. What are those for?
|
Someone can correct me if I am wrong, but I believe Snort creates a binary DB based on the txt files. It reads rules from the db file since its a lot faster than opening and parsing txt files.
|
All times are GMT -5. The time now is 11:09 PM. |