LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-11-2006, 01:30 PM   #1
zuessh
Member
 
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247

Rep: Reputation: 30
snort start error


hello i recently installed snort using the guide located at snort.org for redhat fedora core 4

when starting snort using snort -c /etc/snort/snort.conf i receive the following error
cannot open the performacne log fle /var/snort/snort.stats

Any idea of what the problem is? I would post my snort.conf but it is too large, if i need to post a section of it let me know. Thanks
 
Old 01-11-2006, 02:14 PM   #2
celejar
Member
 
Registered: Oct 2003
Location: New York
Distribution: Debian Sid
Posts: 185

Rep: Reputation: 30
Check the permissions of the snort.stats file if it exists, and if not, the permissions of the /var/snort directory. If the file / directory isn't writeable by the user snort is running as you'll get an error. I think I once had a similar problem.
 
Old 01-11-2006, 02:23 PM   #3
zuessh
Member
 
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247

Original Poster
Rep: Reputation: 30
yep, tried that first. I'm pretty sure it's a problem with my snort.conf but im not sure where. When I grant permission to the /var/snort it gives another error. it is below

unable to open unicode.map file /etc/snort/unicode.map

If i comment out that line it just goes to another erro about preprocessors. If anyone has an idea to what portion of my conf file to post i will do so. I am also using the -T option with the same results.
 
Old 01-11-2006, 03:25 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
And if you specify the location of the map?: "preprocessor http_inspect: global iis_unicode_map /some/dir/unicode.map 1252"
 
Old 01-11-2006, 03:47 PM   #5
zuessh
Member
 
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247

Original Poster
Rep: Reputation: 30
Occams razor at it's finest. I had to copy all the rules from /etc/snort rules to /etc/snort/ and I am fine. Blah...
 
Old 01-11-2006, 04:04 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Well, if you want to, else at the top of snort.conf just define:
var SNORT_RULES /etc/snort/rules
var SNORT_DIR /etc/snort
(etc, etc)
preprocessor http_inspect: global iis_unicode_map $SNORT_DIR/unicode.map 1252
(etc, etc)
# and for the rules:
include $SNORT_RULES/sco_doesnt.rules
(etc, etc)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort start problem... Palula Linux - Software 2 01-05-2006 10:09 PM
Error when starting up snort: bash:!/bin/sh/usr/local/bin/snort :Eent not found cynthia_thomas Linux - Software 1 11-11-2005 02:59 PM
Cannot get snort to start hywaydave23 Linux - Security 4 09-11-2005 08:28 AM
snort failed: snort: symbol lookup error: undefined symbol: usmAES192PrivProtocol Emmanuel_uk Linux - Security 1 07-10-2005 10:29 AM
Snort won't start tarballedtux Linux - Security 6 10-26-2002 07:58 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration