Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-09-2005, 03:35 PM   #1
LQ Newbie
Registered: Aug 2005
Posts: 17

Rep: Reputation: 0
Cannot get snort to start

I cannot get snort to start. I'm following the doc written by Patrick Harper. I have the following line in rc.local

/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g snort -D

Snort won't start on reboot.

I've tried it from CL too and it won't start.

I put an init script that I found in a book with the following:
OPTIONS="-D -u snort"

and snort won't start on reboot.

I've tried this as a test that I found in a book:
# /usr/local/bin/snort -T -u snort -c /etc/snort/snort.conf

And that seemed to work, it said snort successfully loaded all rules and checked all rule chains, but then it exits. Does anyone have any ideas?
Old 09-10-2005, 08:41 AM   #2
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
What does it say when you do
# /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g snort
Old 09-10-2005, 01:38 PM   #3
LQ Newbie
Registered: Aug 2005
Posts: 17

Original Poster
Rep: Reputation: 0
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth0

--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit: 5
Fragment Problems: 1
Bound Addresses:
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Server Data Inspection Limit: -1
WARNING /etc/snort/snort.conf(372) => flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
HttpInspect Config:
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/
IIS Unicode Map Codepage: 1252
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900

X-Link2State Config:
Ports: 25 691
ERROR: Unable to open rules file: /etc/snort/rules/local.rules or /etc/snort//etc/snort/rules/local.rules
Fatal Error, Quitting..
Old 09-10-2005, 01:42 PM   #4
LQ Newbie
Registered: Aug 2005
Posts: 17

Original Poster
Rep: Reputation: 0
I figured it out. I didn't have the rules from the rules directory. I missed that part, but before that I had already downloaded rules from snort and extracted a bunch of text files that I had copied into the /etc/snort/rules directory. What are those for?
Old 09-11-2005, 08:28 AM   #5
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Someone can correct me if I am wrong, but I believe Snort creates a binary DB based on the txt files. It reads rules from the db file since its a lot faster than opening and parsing txt files.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Error when starting up snort: bash:!/bin/sh/usr/local/bin/snort :Eent not found cynthia_thomas Linux - Software 1 11-11-2005 02:59 PM
snort failed: snort: symbol lookup error: undefined symbol: usmAES192PrivProtocol Emmanuel_uk Linux - Security 1 07-10-2005 10:29 AM
Smoothwall 1.0 fixes5 - Snort won't start sgallo Linux - Networking 3 06-09-2003 07:46 AM
Snort won't start tarballedtux Linux - Security 6 10-26-2002 07:58 PM
I want to start Snort as a service/daemon Olusegun Linux - Software 3 10-15-2002 10:35 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:54 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration