snort start error

zuessh · 01-11-2006, 01:30 PM

hello i recently installed snort using the guide located at snort.org for redhat fedora core 4

when starting snort using snort -c /etc/snort/snort.conf i receive the following error
cannot open the performacne log fle /var/snort/snort.stats

Any idea of what the problem is? I would post my snort.conf but it is too large, if i need to post a section of it let me know. Thanks

celejar · 01-11-2006, 02:14 PM

Check the permissions of the snort.stats file if it exists, and if not, the permissions of the /var/snort directory. If the file / directory isn't writeable by the user snort is running as you'll get an error. I think I once had a similar problem.

zuessh · 01-11-2006, 02:23 PM

yep, tried that first. I'm pretty sure it's a problem with my snort.conf but im not sure where. When I grant permission to the /var/snort it gives another error. it is below

unable to open unicode.map file /etc/snort/unicode.map

If i comment out that line it just goes to another erro about preprocessors. If anyone has an idea to what portion of my conf file to post i will do so. I am also using the -T option with the same results.

unSpawn · 01-11-2006, 03:25 PM

And if you specify the location of the map?: "preprocessor http_inspect: global iis_unicode_map /some/dir/unicode.map 1252"

zuessh · 01-11-2006, 03:47 PM

Occams razor at it's finest. I had to copy all the rules from /etc/snort rules to /etc/snort/ and I am fine. Blah...

unSpawn · 01-11-2006, 04:04 PM

Well, if you want to, else at the top of snort.conf just define:
var SNORT_RULES /etc/snort/rules
var SNORT_DIR /etc/snort
(etc, etc)
preprocessor http_inspect: global iis_unicode_map $SNORT_DIR/unicode.map 1252
(etc, etc)
# and for the rules:
include $SNORT_RULES/sco_doesnt.rules
(etc, etc)