Re: [Snort-users] Unable to run Snort in IPS mode

From: Sharma, Ashish <ashish.sharma3_at_nospam>
Date: Mon Feb 22 2010 - 13:37:52 GMT
To: rmkml <rmkml@free.fr>

Rmkml,

Please find attached my 'local.rules' file.

Thanks
Ashish Sharma

-----Original Message-----
From: rmkml [mailto:rmkml@free.fr]
Sent: Monday, February 22, 2010 6:49 PM
To: Sharma, Ashish
Cc: rmkml@free.fr
Subject: RE: [Snort-users] Unable to run Snort in IPS mode

ok thx you Sharma,
could you send local.rules please?
Regards
Rmkml

On Mon, 22 Feb 2010, Sharma, Ashish wrote:

> Rmkml,
>
> First of all thanks for helping.
>
> I don't think there is any problem with command formatting or 'RULE_PATH' variable error.
>
> Reason being that when I comment out the 'reject' and 'sdrop' rules from 'local.rules' file and only 'drop' rules are there, then 'Snort' is able to run fine and alerts are generated and logged.
>
> For your reference my 'Snort.conf' is attached.
>
> Thanks for helping again.
>
> Ashish Sharma
>
> -----Original Message-----
> From: rmkml [mailto:rmkml@free.fr]
> Sent: Monday, February 22, 2010 5:15 PM
> To: Sharma, Ashish
> Cc: rmkml@free.fr
> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>
> Hi Sharma,
> you start snort with cmd line:
> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
> please remove space like ... -c /etc/snort/snort.conf ...
> on your snort.conf, what is RULE_PATH variable contains please? or send
> snort.conf...
> Regards
> Rmkml
>
>
> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>
>> Hi,
>>
>> I have a fedora core 10 virtual machine running on a sun virtual box.
>>
>> I am trying to run Snort on this machine in IPS mode.
>>
>> I followed the following steps (I had already installed the prerequisites for Snort IPS):
>>
>> 1. Downloaded 'snort-2.8.5.2.tar.gz'
>> 2. Extracted the binaries.
>> 3. did './configure --enable-inline'
>> 4. did 'make'
>> 5. did 'make install'
>> 6. copied snort rules and snort conf at appropriate location.
>> 7. executed the following command :
>> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
>> 8. Snort launches with the traces :
>>
>> Enabling inline operation
>> Running in IDS mode
>>
>> --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Initializing Preprocessors!
>> ..................................
>>
>> Initializing rule chains...
>> ERROR: /etc/snortIDSMode/rules /local.rules(10 ) Unknown rule type: reject.
>> Fatal Error, Quitting..
>>
>> 8. As you can see I have a test rule in local.rule that have a 'reject' rule in it but snort is not accepting it, same is the case for 'sdrop' rule also.
>>
>> 9. What is the problem , please help!!!!!
>>
>> What should I do in all to let my Snort run in IPS mode
>>
>> Thanks in advance
>>
>> Ashish Sharma
>>
>

Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message: [ Message body ]
Next message: Willst Mail: "[Snort-users] Unusual Snort performance stats"
Previous message: Matt Watchinski: "Re: [Snort-users] Unusual Snort performance stats"
Maybe in reply to: Sharma, Ashish: "[Snort-users] Unable to run Snort in IPS mode"
Next in thread: Nigel Houghton: "Re: [Snort-users] Unable to run Snort in IPS mode"
Reply: Nigel Houghton: "Re: [Snort-users] Unable to run Snort in IPS mode"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]