[Snort-sigs] Up and Running
jesler at ...435...
Tue Sep 11 13:37:54 EDT 2012
On Sep 11, 2012, at 1:20 PM, PR <oly562 at ...2420...> wrote:
> alrighty, i removed the # in front of $RULES also, mv'd so_rules and preproc_rules in /etc/snort and snort.conf configed to see them.
> here's the stdout:
> notice the whitelist complaining and..
> Complaints below:
> 1. Reputation config:
> WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled.
> 2. WARNING: flowbits key 'file.fli' is set but not ever checked. and 20 more like this...
Are you using pulled pork.
> 3. WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
This is an option in pulledpork. It will place dynamic rules in the correct directory.
> 4. WARNING: ip4 normalizations disabled because not inline.
> WARNING: tcp normalizations disabled because not inline.
> WARNING: icmp4 normalizations disabled because not inline.
If you aren't inline, this is correct.
> 5. wondering about these few entries as well:
> 0 decoder rules
> 0 preprocessor rules
If you aren't using preprocessor or decoder rules, that's correct. These are commented out in the snort.conf by default.
> pcap DAQ configured to passive.
That's not a warning, that's informational.
> if you can see anything wrong, please let me know, i feel im getting close... lol
> thanks, pete
I don't show any stoppers.
> Commencing packet processing (pid=2828)
This means that Snort is running.
> 2nd STDOUT: for barnyard2 command:
> root at ...3731...:/var/lib/mysql/snort# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config &
There is a command line option for barnyard2 to daemonize it. You don't need to have "&" there.
Senior Research Engineer, VRT
OpenSource Community Manager
More information about the Snort-sigs