-   Linux - Security (
-   -   snort start error (

zuessh 01-11-2006 01:30 PM

snort start error
hello i recently installed snort using the guide located at for redhat fedora core 4

when starting snort using snort -c /etc/snort/snort.conf i receive the following error
cannot open the performacne log fle /var/snort/snort.stats

Any idea of what the problem is? I would post my snort.conf but it is too large, if i need to post a section of it let me know. Thanks

celejar 01-11-2006 02:14 PM

Check the permissions of the snort.stats file if it exists, and if not, the permissions of the /var/snort directory. If the file / directory isn't writeable by the user snort is running as you'll get an error. I think I once had a similar problem.

zuessh 01-11-2006 02:23 PM

yep, tried that first. I'm pretty sure it's a problem with my snort.conf but im not sure where. When I grant permission to the /var/snort it gives another error. it is below

unable to open file /etc/snort/

If i comment out that line it just goes to another erro about preprocessors. If anyone has an idea to what portion of my conf file to post i will do so. I am also using the -T option with the same results.

unSpawn 01-11-2006 03:25 PM

And if you specify the location of the map?: "preprocessor http_inspect: global iis_unicode_map /some/dir/ 1252"

zuessh 01-11-2006 03:47 PM

Occams razor at it's finest. I had to copy all the rules from /etc/snort rules to /etc/snort/ and I am fine. Blah...

unSpawn 01-11-2006 04:04 PM

Well, if you want to, else at the top of snort.conf just define:
var SNORT_RULES /etc/snort/rules
var SNORT_DIR /etc/snort
(etc, etc)
preprocessor http_inspect: global iis_unicode_map $SNORT_DIR/ 1252
(etc, etc)
# and for the rules:
include $SNORT_RULES/sco_doesnt.rules
(etc, etc)

All times are GMT -5. The time now is 06:59 AM.